ECS Service with Admin Roles

It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, services or roles. Determine what services and/or users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges.

Risk Level: High
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.IAM.49
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

EcsService should not have role.combinedPolicies contain [name like '%admin%']

REMEDIATION

From Portal:
For each ECS Service with Admin Roles - perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select first Detach
  5. Select all Users, Groups, Roles that have this policy attached
  6. Click Detach Policy
  7. In the policy action menu, select Detach

From TF

resource "aws_ecs_service" "test" {
	name            = "mongodb"
	cluster         = aws_ecs_cluster.foo.id
	task_definition = aws_ecs_task_definition.mongo.arn
	desired_count   = 3
	- iam_role        = "admin"
	depends_on      = [aws_iam_role_policy.foo]
}

From Command Line:

  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn policy_arn
  1. Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name iam_user --policy-arn policy_arn
  1. Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name iam_group --policy-arn policy_arn
  1. Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name iam_role --policy-arn policy_arn

References:

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
  3. https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-group-policy.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-role-policy.html
  7. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html
  8. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-entities-for-policy.html
  9. https://workbench.cisecurity.org/sections/19694/recommendations/44859

Amazon Elastic Container Service

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset