Amazon ECS task definitions should have secure networking modes and user definitions

Question

ECS.1 Amazon ECS task definitions should have secure networking modes and user definitions.

Given that AWS Batch necessitates the network mode to be 'host' for task definitions, how can we ensure that our Amazon ECS configurations maintain secure networking modes and user definitions, especially considering the ecs.1 Security Hub finding?

What should we do to address the security concern here?

https://repost.aws/questions/QULcYG3Nr_TAavAL2RjMkcnQ/aws-batch-job-instance-runs-with-ecs-network-host-mode

Answer 1

Per the official documentation on this AWS SecurityHub ECS control here:

The control fails for task definitions that have host network mode and container definitions of privileged=false, empty and user=root, or empty.

So you need to make set or update the privileged and user attributes of your task definition. You may have to make some changes to your Dockerfile and rebuild the image such that it can run as a non-root user.