-
Notifications
You must be signed in to change notification settings - Fork 843
/
Security-Best-Practices-for-ECS.yaml
129 lines (128 loc) · 4.03 KB
/
Security-Best-Practices-for-ECS.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
##################################################################################
#
# Conformance Pack:
# Operational Best Practices for ECS
#
#
##################################################################################
Parameters:
EcsNoEnvironmentSecretsParamSecretKeys:
Default: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, ECS_ENGINE_AUTH_DATA
Type: String
EcsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions:
Default: 'true'
Type: String
Resources:
EcsContainerInsightsEnabled:
Properties:
ConfigRuleName: ecs-container-insights-enabled
Scope:
ComplianceResourceTypes:
- AWS::ECS::Cluster
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINER_INSIGHTS_ENABLED
Type: AWS::Config::ConfigRule
EcsContainersNonprivileged:
Properties:
ConfigRuleName: ecs-containers-nonprivileged
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINERS_NONPRIVILEGED
Type: AWS::Config::ConfigRule
EcsContainersReadonlyAccess:
Properties:
ConfigRuleName: ecs-containers-readonly-access
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINERS_READONLY_ACCESS
Type: AWS::Config::ConfigRule
EcsFargateLatestPlatformVersion:
Properties:
ConfigRuleName: ecs-fargate-latest-platform-version
Scope:
ComplianceResourceTypes:
- AWS::ECS::Service
Source:
Owner: AWS
SourceIdentifier: ECS_FARGATE_LATEST_PLATFORM_VERSION
Type: AWS::Config::ConfigRule
EcsNoEnvironmentSecrets:
Properties:
ConfigRuleName: ecs-no-environment-secrets
InputParameters:
secretKeys:
Fn::If:
- ecsNoEnvironmentSecretsParamSecretKeys
- Ref: EcsNoEnvironmentSecretsParamSecretKeys
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_NO_ENVIRONMENT_SECRETS
Type: AWS::Config::ConfigRule
EcsTaskDefinitionMemoryHardLimit:
Properties:
ConfigRuleName: ecs-task-definition-memory-hard-limit
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT
Type: AWS::Config::ConfigRule
EcsTaskDefinitionNonrootUser:
Properties:
ConfigRuleName: ecs-task-definition-nonroot-user
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_NONROOT_USER
Type: AWS::Config::ConfigRule
EcsTaskDefinitionPidModeCheck:
Properties:
ConfigRuleName: ecs-task-definition-pid-mode-check
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_PID_MODE_CHECK
Type: AWS::Config::ConfigRule
EcsTaskDefinitionUserForHostModeCheck:
Properties:
ConfigRuleName: ecs-task-definition-user-for-host-mode-check
InputParameters:
SkipInactiveTaskDefinitions:
Fn::If:
- ecsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions
- Ref: EcsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK
Type: AWS::Config::ConfigRule
Conditions:
ecsNoEnvironmentSecretsParamSecretKeys:
Fn::Not:
- Fn::Equals:
- ''
- Ref: EcsNoEnvironmentSecretsParamSecretKeys
ecsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions:
Fn::Not:
- Fn::Equals:
- ''
- Ref: EcsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions