Ensure there are no services with admin roles for Amazon Elastic Container Service (ECS)

HIGH

Description

AWS ECS services with Admin roles may lead to unauthorized access to resources in full capacity.

Remediation

The role can only be altered when using a networking configuration other than awsvpc in a task definition. You must also use a load balancer with a single target group. For more information on how to properly configure a task definition, see the AWS documentation.

In AWS Console -

Sign in to the AWS Console and go to the Amazon ECS console.
Select Task Definitions.
Create a new Task Definition with the appropriate Task Role on the Environment page.

In Terraform -

In the aws_ecs_service resource, set the iam_role field to a value that does not contain an admin role.

References:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service_definition_parameters.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service

Policy Details

Rule Reference ID: AC_AWS_0087

CSP: AWS

Remediation Available: Yes

Domain: Identity and Access Management

Resource: aws_ecs_service

Resource Category: Compute

Resource Type: Elastic Container Service (ECS)

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0