Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Inspector ECS task definition finding

0

I’m trying to resolve an AWS Inspector finding that says:

“Amazon ECS task definitions ContainerDefinitions has User not present and Privileged set to false. Make sure that ContainerDefinitions have either User set to a non-root user value or Privileged set to true.”

I’ve already set the User field to 1000 in my task definition, but I can’t set Privileged to true because the task runs on Fargate, which doesn’t support privileged mode.

Here is the relevant part of my task definition:

Type: AWS::ECS::TaskDefinition
Properties:
  Family: task_name
  RequiresCompatibilities: [FARGATE]
  NetworkMode: awsvpc
  Cpu: "512"
  Memory: "1024"
  ExecutionRoleArn: task_execution_role
  TaskRoleArn: task_role
  RuntimePlatform:
    CpuArchitecture: X86_64
    OperatingSystemFamily: LINUX
  ContainerDefinitions:
    - Name: container_name
      Image: container_image
      User: "1000"   # Set here

How can I resolve the Inspector finding in this scenario?

Topics
Security, Identity, & ComplianceContainers
Tags
Amazon InspectorAmazon Elastic Container Service
Language
English
asked 6 months ago188 views
2 Answers
0

The AWS Inspector finding you're encountering is checking for security best practices in your ECS task definitions. Since you've already set the User parameter to "1000" in your container definition, you've actually already addressed the finding correctly.

The finding is looking for one of two conditions to be satisfied:

  1. Either set a non-root user (which you've done by setting User: "1000")
  2. OR set Privileged to true (which isn't supported in Fargate)

Since you're using Fargate as your launch type (indicated by RequiresCompatibilities: [FARGATE]), you cannot use privileged containers as you correctly noted. However, by specifying a non-root user (1000), you've already satisfied the security requirement that the finding is checking for.

The finding should be resolved once AWS Inspector re-evaluates your task definition. If the finding persists, you might need to verify that the task definition has been properly deployed and that the Inspector is evaluating the latest version of your task definition.

This approach aligns with the security best practice of running containers with the least privilege necessary, which is preferable to running containers in privileged mode anyway.
Sources
Ecs Task Definition | Amazon Q, Detector Library
ecs-task-definition-nonroot-user - AWS Config
Amazon ECS task definition parameters for Amazon EC2 - Amazon Elastic Container Service

answered 6 months ago
  • Ma. Sophia De Leon
    6 months ago

    Even after setting User: "1000" in the task definition, the AWS Inspector finding still hasn’t cleared. I’ve already run on-demand scans three separate times, but the finding continues to appear.

0

I think AWS Inspector does not scan your task definition and instead scans your docker image in ECR. the user related definition needs to be in the dockerfile as well as shown below.

FROM public.ecr.aws/docker/library/python:3.12-slim

# Create app user
RUN groupadd -g 1000 appuser \
    && useradd -u 1000 -g 1000 -m appuser

WORKDIR /app
COPY . /app
RUN chown -R appuser:appuser /app

USER appuser

CMD ["python", "app.py"]
EXPERT
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content