AWS securityhub documentation change
Summary
Removed retired control [ECS.1] and its documentation
Security assessment
This change removes a retired security control without introducing new vulnerabilities. The removal indicates the control is no longer relevant, but doesn't address any active security issue. Security coverage is maintained through other existing controls.
Diff
diff --git a/securityhub/latest/userguide/ecs-controls.md b/securityhub/latest/userguide/ecs-controls.md index b0c26bdaf..f1cd644ac 100644 --- a//securityhub/latest/userguide/ecs-controls.md +++ b//securityhub/latest/userguide/ecs-controls.md @@ -7 +7 @@ -[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses[ECS.17] ECS task definitions should not use host network mode[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes[ECS.19] ECS capacity providers should have managed termination protection enabled[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions +[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses[ECS.17] ECS task definitions should not use host network mode[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes[ECS.19] ECS capacity providers should have managed termination protection enabled[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions @@ -13,48 +12,0 @@ These Security Hub CSPM controls evaluate the Amazon Elastic Container Service ( -## [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions - -###### Important - -Security Hub CSPM retired this control in March 2026. For more information, see [Change log for Security Hub CSPM controls](./controls-change-log.html). You can refer to the following controls for evaluation of privileged configuration, network mode configuration, and user configuration: - - * [ECS.4] ECS containers should run as non-privileged - - * [ECS.17] ECS task definitions should not use host network mode - - * [ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions - - * [ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions - - - - -**Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6 - -**Category:** Protect > Secure access management - -**Severity:** High - -**Resource type:** `AWS::ECS::TaskDefinition` - -**AWS Config rule:** [ecs-task-definition-user-for-host-mode-check](https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html) - -**Schedule type:** Change triggered - -**Parameters:** - - * `SkipInactiveTaskDefinitions`: `true` (not customizable) - - - - -This control checks whether an active Amazon ECS task definition with host networking mode has `privileged` or `user` container definitions. The control fails for task definitions that have host network mode and container definitions of `privileged=false`, empty and `user=root`, or empty. - -This control only evaluates the latest active revision of an Amazon ECS task definition. - -The purpose of this control is to ensure that access is defined intentionally when you run tasks that use the host network mode. If a task definition has elevated privileges, it is because you have chosen that configuration. This control checks for unexpected privilege escalation when a task definition has host networking enabled, and you don't choose elevated privileges. - -### Remediation - -For information about how to update a task definition, see [Updating a task definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition.html) in the _Amazon Elastic Container Service Developer Guide_. - -When you update a task definition, it doesn't update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition. -