AWS securityhub high security documentation change
Summary
Corrected terminology, fixed typos, updated service references (Lambda to ECR), and improved clarity in security guidance for Amazon ECS task definitions, IAM roles, and vulnerability remediation.
Security assessment
The change replaces 'reachability traits' with 'vulnerability traits', ensuring accurate classification of security risks. It also corrects a critical misreference from Lambda to ECR in package vulnerability remediation steps, preventing misapplication of security fixes. These updates address potential misconfigurations that could leave vulnerabilities unmitigated.
Diff
diff --git a/securityhub/latest/userguide/exposure-ecs-service.md b/securityhub/latest/userguide/exposure-ecs-service.md index 921f64111..993812368 100644 --- a//securityhub/latest/userguide/exposure-ecs-service.md +++ b//securityhub/latest/userguide/exposure-ecs-service.md @@ -66 +66 @@ In the exposure, identify the task definition ARN. Open the task definition in t -IAM Roles enable Amazon ECS tasks to securely access other AWS services using temporary credentials. Task execution roles may be required for Amazon ECS tasks where the container needs to interact with other AWS resources. While this is sometimes necessary for container functionality, improperly configured roles can grant excessive privileges that can be exploited by attackers if a container is compromised, potentially allowing unauthorized access to AWS resources, data theft, or unauthorized modification of your infrastructure. Following standard security principles, AWS recommends implementing least privilege access and reviewing IAM roles attached to your Amazon ECS tasks. +IAM roles enable Amazon ECS tasks to securely access other AWS services using temporary credentials. Task execution roles may be required for Amazon ECS tasks where the container needs to interact with other AWS resources. While this is sometimes necessary for container functionality, improperly configured roles can grant excessive privileges that can be exploited by attackers if a container is compromised, potentially allowing unauthorized access to AWS resources, data theft, or unauthorized modification of your infrastructure. Following standard security principles, AWS recommends implementing least privilege access and reviewing IAM roles attached to your Amazon ECS tasks. @@ -78 +78 @@ Amazon ECS containers with access to the host root filesystem can potentially re -In the the exposure finding, identify the task definition ARN. Open the task definition in the Amazon ECS console. Look for the volumes section in the task definition that defines host path mappings. Review the task definition to determine if the host filesystem access is required for container functionality. s If host filesystem access is not required, create a new task definition revision and remove any volume definitions that use host paths. If host filesystem access is required, consider configuring the container to use a read-only file system to prevent unauthorized modifications. +In the exposure finding, identify the task definition ARN. Open the task definition in the Amazon ECS console. Look for the volumes section in the task definition that defines host path mappings. Review the task definition to determine if the host filesystem access is required for container functionality. If host filesystem access is not required, create a new task definition revision and remove any volume definitions that use host paths. If host filesystem access is required, consider configuring the container to use a read-only file system to prevent unauthorized modifications. @@ -175 +175 @@ IAM roles with administrative access policies attached to Amazon ECS tasks provi -n the **Resource ID** , identify the IAM role name. Go to the IAM dashboard and select the identified role. Review the permissions policy attached to the IAM role. If the policy is an AWS managed policy, look for `AdministratorAccess`. Otherwise, in the policy document, look for statements that have the statements `"Effect": "Allow", "Action": "*", and "Resource": "*"` together. +In the **Resource ID** , identify the IAM role name. Go to the IAM dashboard and select the identified role. Review the permissions policy attached to the IAM role. If the policy is an AWS managed policy, look for `AdministratorAccess`. Otherwise, in the policy document, look for statements that have the statements `"Effect": "Allow", "Action": "*", and "Resource": "*"` together. @@ -179 +179 @@ n the **Resource ID** , identify the IAM role name. Go to the IAM dashboard and -Replace administrative policies with those that grant only the specific permissions required for the instance to function. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. Alternatively, you can create a new IAM role to avoid impacting other applications that are using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. +Replace administrative policies with those that grant only the specific permissions required for the instance to function. To identify unnecessary permissions, you can use IAM Access Analyzer to understand how to modify your policy based on access history. Alternatively, you can create a new IAM role to avoid impacting other applications that are using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. @@ -198 +198 @@ Create a new revision of your task definition that references the new or updated -Here are reachability traits for Amazon ECS and suggested remediation steps. +Here are vulnerability traits for Amazon ECS and suggested remediation steps. @@ -210 +210 @@ Package vulnerability findings identify software packages in your AWS environmen -Review the package vulnerability finding for your Lambda function. Update the package version as suggested by Amazon Inspector. For information, see [Viewing details for your Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-details.html) in the _Amazon Inspector User Guide_. The **Remediation** section of the finding details in the Amazon Inspector console tells you which commands you can run to update the package. +Review the package vulnerability finding for your ECR container image. Update the package version as suggested by Amazon Inspector. For more information, see [Viewing details for your Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-details.html) in the _Amazon Inspector User Guide_. The **Remediation** section of the finding details in the Amazon Inspector console tells you which commands you can run to update the package. @@ -214 +214 @@ Review the package vulnerability finding for your Lambda function. Update the pa -Rebuilding and update the base container images regularly to keep your containers up to date. When rebuilding the image, don't include unnecessary components to reduce the attack surface. For instructions on rebuilding a container image, see [Rebuild you images often](https://docs.docker.com/build/building/best-practices/#rebuild-your-images-often). +Rebuild and update base container images regularly to keep your containers up to date. When rebuilding an image, don't include unnecessary components to reduce the attack surface. For instructions on rebuilding a container image, see [Rebuild your images often](https://docs.docker.com/build/building/best-practices/#rebuild-your-images-often).