Risk Level: Low
Cloud Entity: Amazon Elastic Container Service - Cluster
CloudGuard Rule ID: D9.AWS.IAM.48
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcsCluster where services contain [taskDefinition] should have services contain [taskDefinition.taskRoleArn]

REMEDIATION

From Portal
Follow the steps below for each finding:

Open the new console at https://console.aws.amazon.com/ecs/v2.
From the navigation bar, choose the Region that contains your task definition.\
In the navigation pane, choose Task definitions.
On the Task definitions page, choose the task, and then choose Create new revision.
On the Create new task definition revision page, make changes. For example, to change the existing container definitions (such as the container image, memory limits, or port mappings), select the container, and then make the changes.
Verify the information, and then choose Create.

To create and IAM role for your task and assign it to ECS Cluster perform the following:

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Roles, Create role.
For Select trusted entity section, choose AWS service.
For Use case, using the drop down menu, select Elastic Container Service and then the Elastic Container Service Task use case and then choose Next.
For Add permissions, search for and select the policy to use for your tasks (in this example AmazonECSTaskS3BucketPolicy), and then choose Next.
On Step 3: Name, review, and create, do the following:
a. For Role name, enter a name for your role. For this example, type AmazonECSTaskS3BucketRole to name the role.
b. (Optional) For Description, specify a description for this IAM role.
c. Review the trusted entity and permissions policy for the role.
d. For Add tags (Optional), enter any metadata tags you want to associate with the IAM role, and then choose Create role.

From Command Line
You can use the following command in order to add task-role to your task definition:

aws ecs register-task-definition --family PUT_VALUE --task-role-arn PUT_VALUE

References

Amazon Elastic Container Service - Cluster

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS NIST 800-53 Rev 5
CloudGuard AWS All Rules Ruleset