CRITICAL ECS

ECS privileged containers

Check ID: aws-ecs-001

AWS-ECS-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for ECS task definitions with containers running in privileged mode, which gives root-level access to the host.

Why it matters

Privileged containers run with all Linux kernel capabilities and have full access to the host operating system, including /dev, /proc, and /sys filesystems. A container escape from a privileged container - using techniques like CVE-2022-0185 (heap overflow in Linux filesystem) or CVE-2024-21626 (runc container breakout) - immediately grants root access to the underlying EC2 instance. From there, an attacker can access the instance metadata service to steal IAM credentials, pivot to other containers on the same host, or compromise the container orchestration layer. The Docker CIS Benchmark and AWS ECS security best practices explicitly prohibit running containers in privileged mode unless absolutely required for host-level operations.

Common causes

Privileged mode is enabled when container images require access to host devices like GPUs, Docker socket, or specific Linux kernel features during development. Teams migrating from Docker Compose to ECS may carry over the privileged flag from their local development configuration without evaluating whether it is needed. Some monitoring and logging sidecar containers request privileged mode to access host-level metrics, even when unprivileged alternatives exist.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Register a new task definition revision without privileged mode:
# 1. Describe current: aws ecs describe-task-definition --task-definition FAMILY
# 2. Remove "privileged": true from containerDefinitions
# 3. Register: aws ecs register-task-definition --cli-input-json file://updated-td.json

Remediation: Terraform

resource "aws_ecs_task_definition" "task" {
  container_definitions = jsonencode([{
    name       = "container"
    privileged = false
  }])
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related ECS checks

HIGH aws-ecs-002

ECS task logging

MEDIUM aws-ecs-003

ECS Exec enabled

← All checks