Checks if Amazon ECS task definitions with host network mode have privileged OR nonroot in the container definition. The rule is NON_COMPLIANT if the latest active revision of a task definition has privileged=false (or is null) AND user=root (or is null).
Important
Only one condition needs to be met for the rule to return compliant
The rule is COMPLIANT in any of following scenarios:
If the network mode is not set to host,
If the latest active revision of a task definition has privileged=true,
If the latest active revision of a task definition has a user that is not the root.
This means that only one of these conditions need to be met for the rule to return compliant. To check specifically if a task definition has privileged=true, see ecs-containers-nonprivileged. To check specifically if a task definition has a user that is not the root, see ecs-task-definition-nonroot-user.
Identifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK
Resource Types: AWS::ECS::TaskDefinition
Trigger type: Configuration changes
AWS Region: All supported AWS regions except Middle East (UAE) Region
Parameters:
- SkipInactiveTaskDefinitions (Optional)
- Type: boolean
-
Boolean flag to not check INACTIVE Amazon EC2 task definitions. If set to 'true', the rule won't evaluate INACTIVE Amazon EC2 task definitions. If set to 'false', the rule will evaluate the latest revision of INACTIVE Amazon EC2 task definitions.
AWS CloudFormation template
To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.
