Skip to main content
McAfee MVISION Cloud

Policy Templates for AWS Fargate

The following Policy Templates are used for  AWS Fargate and ECS. 

AWS Fargate

Policy Name Resource Benchmark PCI DSS HIPAA NIST 800-53 Policy Description
ECS Fargate: HEALTHCHECK instruction should be added to the container image in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Add HEALTHCHECK instruction in your docker container images to perform the health check on running containers. 
ECS Fargate: A daemon wide custom seccomp profile should be applied in ECS Fargate cluster ECS FARGATE CIS Level 2     CM-3 You can choose to apply your custom seccomp profile at the daemon-wide level if needed and override Docker's default seccomp profile. 
ECS Fargate: Incoming container traffic should be binded to a specific host interface in ECS Fargate cluster ECS FARGATE CIS Level 1     SC-7 By default, Docker containers can make connections to the outside world, but the outside world cannot connect to containers. Each outgoing connection will appear to originate from one of the host machine's own IP addresses. Only allow container services to be contacted through a specific external interface on the host machine. 
ECS Fargate: Centralized and remote logging should be configured in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Docker now supports various log drivers. A preferable way to store logs is the one that supports centralized and remote logging.
ECS Fargate: Container CPU priority should be set appropriately in ECS Fargate cluster ECS FARGATE CIS Level 1     SC-6 By default, all containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as CPU shares, you can control the host CPU resources that a container may consume. 
ECS Fargate: Content Trust should be enabled For Docker in ECS Fargate cluster ECS FARGATE CIS Level 2     CM-3 Content trust is disabled by default and should be enabled in line with organizational security policy.Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the identity and the publisher of specific image tags and ensures the provenance of container images. 
ECS Fargate: Default seccomp profile should not be disabled in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on whitelist basis and allows 311 system calls blocking all others. It should not be disabled unless it hinders your container application usage. 
ECS Fargate: Docker Version should be kept up to date in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Frequent releases for Docker are issued which address security vulnerabilities, resolve product bugs and bring in new functionality. You should keep a tab on these product updates and upgrade as frequently as possible in line with the general IT security policy of your organization. 
ECS Fargate: Host devices should not be exposed directly to containers in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Host devices can be directly exposed to containers at runtime. Do not directly expose host devices to containers especially for containers that are not trusted. 
ECS Fargate: Memory usage for container should be limited in ECS Fargate cluster ECS FARGATE CIS Level 1     SC-6 By default, all containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as memory limit, you can control the amount of memory that a container may consume. 
ECS Fargate: Docker socket should not be mounted inside any containers in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 The docker socket (docker.sock) should not be mounted inside a container.
Rationale:
If the docker socket is mounted inside a container it would allow processes running within the container to execute docker commands which effectively allows for full control of the host.
ECS Fargate: Sensitive host system directories should not be mounted on containers in ECS Fargate cluster ECS FARGATE CIS Level 2     CM-3 Sensitive host system directories such as below should not be allowed to be mounted as container volumes especially in read-write mode. 
ECS Fargate: A non-root user should be created for the container in ECS Fargate cluster ECS FARGATE CIS Level 1     SC-2 Create a non-root user for the container in the Dockerfile for the container image. 
ECS Fargate: The 'on-failure' container restart policy should be set to 5 in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Using the '--restart' flag in 'docker run' command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the 'on-failure' restart policy and limit the restart attempts to 5.
ECS Fargate: PIDs cgroup limit should be used in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Use --pids-limit flag at container runtime
ECS Fargate: Privileged ports should not be mapped within containers in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker allows a container port to be mapped to a privileged port.
ECS Fargate: Privileged containers should not be used in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.
ECS Fargate: Container's file system should be mounted in read-only mode in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 The container's root file system should be treated as a 'golden image' and any writes to the root filesystem should be avoided. You should explicitly define a container volume for writing. 
ECS Fargate: Setuid and Setgid permissions should be removed in the images in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Removing setuid and setgid permissions in the images would prevent privilege escalation attacks in the containers. 
ECS Fargate: Linux Kernel Capabilities should be restricted within containers in ECS Fargate cluster ECS FARGATE CIS Level 2     CM-3 By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may be granted the required capabilities instead of root access. Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the specific areas where root permissions are usually needed. 
ECS Fargate: Container should be restricted from acquiring additional permissions in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Restrict the container from acquiring additional permissions via suid or sgid bits. 
ECS Fargate: Host's UTS namespace should not be shared in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 UTS namespaces provide isolation of two system identifiers: the hostname and the NIS domain name. It is used for setting the hostname and the domain that is visible to running processes in that namespace. Processes running within containers do not typically require to know hostname and domain name. Hence, the namespace should not be shared with the host. 
ECS Fargate: User namespace support should be enabled in ECS Fargate cluster ECS FARGATE CIS Level 1     SC-2 Enable user namespace support in Docker daemon to utilize container user to host user re-mapping. This recommendation is beneficial where containers you are using do not have an explicit container user defined in the container image. If container images that you are using have a pre-defined non-root user, this recommendation may be skipped since this feature is still in its infancy and might give you unpredictable issues and complexities. 
ECS Fargate: SELinux security options should be verified in ECS Fargate cluster ECS FARGATE CIS Level 2     CM-3 SELinux is an effective and easy-to-use Linux application security system. It is available on quite a few Linux distributions by default such as Red Hat and Fedora. 
ECS Fargate: Container health should be checked at runtime in ECS Fargate cluster FARGATE CIS Level 1     CM-3 If the container image does not have an HEALTHCHECK instruction defined, use --health-cmd parameter at container runtime for checking container health. 
Arguments tls-cert-file and tls-private-key-file should be set as appropriate for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       Kubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.
Argument anonymous-auth should be set to false for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.
Argument authorization-mode should not be set to AlwaysAllow for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.
Argument client-ca-file should be set as appropriate for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet‚Äôs port-forwarding functionality. These connections terminate at the kubelet‚Äôs HTTPS endpoint. By default, the apiserver does not verify the kubelet‚Äôs serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests.
Argument event-qps should be set to 0 for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data.
Argument make-iptables-util-chains should be set to true for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open.
Argument protect-kernel-defaults should be set to true for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       Kernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior
Argument read-only-port should be set to 0 for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.
Argument rotate-certificates should be set to true for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       The --rotate-certificates setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself
Argument RotateKubeletServerCertificate should be set to true for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       RotateKubeletServerCertificate causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.
Argument streaming-connection-idle-timeout should not be set to 0 for Kubelet Server in FARGATE EKS cluster FARGATE CIS Level 1       Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports. By default, --streaming-connection-idle-timeout is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.
Kubelet should only use strong Cryptographic Ciphers in FARGATE EKS cluster FARGATE CIS Level 1       TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.
Group container workloads onto hosts by sensitivity level FARGATE       SC-3  
  • Was this article helpful?