AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-04-16 · Security-related medium

File: securityhub/latest/userguide/ecs-controls.md

Summary

Added new control [ECS.17] prohibiting host network mode, updated requiredTagKeys parameters, and removed punctuation in control titles

Security assessment

ECS.17 explicitly addresses security risks of host network mode (potential privilege escalation and network exposure) with NIST compliance references. Other changes are parameter constraints and formatting.

Diff

diff --git a/securityhub/latest/userguide/ecs-controls.md b/securityhub/latest/userguide/ecs-controls.md
index c6922abc9..46ab52abe 100644
--- a//securityhub/latest/userguide/ecs-controls.md
+++ b//securityhub/latest/userguide/ecs-controls.md
@@ -5 +5 @@
-[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS containers should be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses
+[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS containers should be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses[ECS.17] ECS task definitions should not use host network mode
@@ -11 +11 @@ These Security Hub controls evaluate the Amazon Elastic Container Service (Amazo
-## [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
+## [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions
@@ -259 +259 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -289 +289 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -319 +319 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -356,0 +357,26 @@ To update an ECS task set so that it doesn't use a public IP address, see [Updat
+## [ECS.17] ECS task definitions should not use host network mode
+
+**Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6
+
+**Category:** Protect > Secure network configuration
+
+**Severity:** Medium
+
+**Resource type:** `AWS::ECS::TaskDefinition`
+
+**AWS Config rule:** [ecs-task-definition-network-mode-not-host](https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-network-mode-not-host.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:** None
+
+This control checks whether the latest active revision of an Amazon ECS task definition uses `host` network mode. The control fails if the latest active revision of the ECS task definition uses `host` network mode.
+
+When using `host` network mode, the networking of an Amazon ECS container is tied directly to the underlying host that's running the container. Consequently, this mode allows containers to connect to private loopback network services on the host and to impersonate the host. Other significant drawbacks are that there's no way to remap a container port when using `host` network mode, and you can't run more than a single instantiation of a task on each host.
+
+### Remediation
+
+For information about networking modes and options for Amazon ECS tasks that are hosted on Amazon EC2 instances, see [Amazon ECS task networking options for the EC2 launch type](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) in the _Amazon Elastic Container Service Developer Guide_. For information about creating a new revision of a task definition and specifying a different network mode, see [Updating an Amazon ECS task definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html) in that guide.
+
+If the Amazon ECS task definition was created by AWS Batch, see [Networking modes for AWS Batch jobs](https://docs.aws.amazon.com/batch/latest/userguide/networking-modes-jobs.html) to learn about networking modes and typical usage for AWS Batch job types and to choose a secure option.
+