Prefer using IAM roles for tasks rather than using IAM roles for an instance

Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance role, you can associate an IAM role with an ECS task definition or RunTask API operation. Doing the first will result in all the privileges required by any task in the cluster being added to a single IAM role, potentially letting tasks use privileges that were not required.

Risk Level: Low
Cloud Entity: Amazon Elastic Container Service - Cluster
CloudGuard Rule ID: D9.AWS.IAM.48
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcsCluster where services contain [taskDefinition] should have services contain [taskDefinition.taskRoleArn]

REMEDIATION

From Portal
Follow the steps below for each finding:

  1. Open the new console at https://console.aws.amazon.com/ecs/v2.
  2. From the navigation bar, choose the Region that contains your task definition.
    3.In the navigation pane, choose Task definitions.
  3. On the Task definitions page, choose the task, and then choose Create new revision.
  4. On the Create new task definition revision page, make changes. For example, to change the existing container definitions (such as the container image, memory limits, or port mappings), select the container, and then make the changes.
  5. Verify the information, and then choose Create.

To create and IAM role for your task and assign it to ECS Cluster perform the following:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Roles, Create role.
  3. For Select trusted entity section, choose AWS service.
  4. For Use case, using the drop down menu, select Elastic Container Service and then the Elastic Container Service Task use case and then choose Next.
  5. For Add permissions, search for and select the policy to use for your tasks (in this example AmazonECSTaskS3BucketPolicy), and then choose Next.
  6. On Step 3: Name, review, and create, do the following:
    a. For Role name, enter a name for your role. For this example, type AmazonECSTaskS3BucketRole to name the role.
    b. (Optional) For Description. specify a description for this IAM role.
    c. Review the trusted entity and permissions policy for the role.
    d. For Add tags (Optional), enter any metadata tags you want to associate with the IAM role, and then choose Create role.

From Command Line
You can use the following command in order to add task-role to your task definition:

aws ecs register-task-definition --family PUT_VALUE --task-role-arn PUT_VALUE

References

  1. https://docs.aws.amazon.com/AmazonECS/latest/userguide/update-task-definition-console-v2.html
  2. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/register-task-definition.html

Amazon Elastic Container Service - Cluster

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset