ECS is AWS's home-grown container orchestration service. It is generally simpler than Kubernetes, which is one of the many reasons for its popularity.
Orchestration systems like ECS or Kubernetes are generally complex, and there are many ways to introduce security holes.
One security hole in particular stems from the general idea behind interaction mechanisms between containers and the host system. In over-simplified terms, containers are independent environments sharing the same kernel as the host. A lot of common resources like networking or file system mounts are virtualized. Such virtualizations of operating system functionality are generally there for flexibility in container creation, and to protect the host resources, but they come at the cost of performance (for detailed information and some benchmarks, we recommend this paper.
When you are defining an ECS task definition, you can point
certain operating system functionality to the host, namely:
- The network interfaces
- The process namespace
- The IPC resource namespace
For each one, we do not recommend setting them to the host. In fact, such practice is flagged in the case of Kubernetes by the CIS benchmarks (CIS Kubernetes Benchmark v. 1.6.0, sections 5.2.2., 5.2.3 and 5.2.4). For ECS, this behavior seems to be not flagged currently (May 2022) by common security scanners. The good news is that this check is included in CoGuard, amongst many other security checks that are not included in other tools.
In practical terms, if you define a resource of type `aws_ecs_task_definition` in your TerraForm file, make sure that neither of `ipc_mode`, `pid_mode` and `network_mode` are set to `host`, unless you need to tickle the last bit of performance out of your container. It is always best to play on the safe side. If you use CloudFormation, you need to look for resources of type `AWS::ECS::TaskDefinition`, and the respective keys are `IpcMode`, `PidMode` and `NetworkMode`.
Given the rise in container escape attacks, CoGuard gives you the upper hand. To scan your infrastructure today to uncover your weakest links, contact us at firstname.lastname@example.org.