Ensure that ECS Service role doesn't have excessive permissions (Contains a wildcard)
Determine the specific permissions needed by your ECS Service, and then craft IAM policies for these permissions only, instead of full administrative privileges. There should not be any policies that grant blanket permissions ('*') to resources. It is recommended and considered a standard security best practice to grant least privileges that is, granting only the permissions required to perform a task.
Risk Level: High
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.IAM.109
Category: Compute
GSL LOGIC
EcsService should not have role.combinedPolicies contain [ relationType!='AssumeRole' and policyDocument.Statement contain [Effect='Allow' and (Action contain ['*']) ]]
REMEDIATION
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'Roles'
- Select the overly permissive IAM Role
- Select the relevant policy
- Redefine its permissions based on the principle of least privilege
From TF
To update an IAM policy, edit the 'Action' argument:
resource "aws_iam_policy" "example_iam_policy" {
..
policy = jsonencode({
..
Statement = [
{
..
Action = ACTIONS-LIST
..
},
]
})
}
From Command Line
To update a managed policy, use:
aws iam create-policy-version --policy-arn POLICY-ARN --policy-document POLICY-DOCUMENT --set-as-default
References
- https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
Amazon Elastic Container Service
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS PCI-DSS 4.0
- AWS Security Risk Management
Updated over 1 year ago