ECS Service Admin Role Is Present
- Query id: 3206240f-2e87-4e58-8d24-3e19e7c83d7c
- Query name: ECS Service Admin Role Is Present
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "aws_ecs_service" "positive1" {
name = "mongodb"
cluster = aws_ecs_cluster.foo.id
task_definition = aws_ecs_task_definition.mongo.arn
desired_count = 3
iam_role = "admin"
depends_on = [aws_iam_role_policy.foo]
ordered_placement_strategy {
type = "binpack"
field = "cpu"
}
load_balancer {
target_group_arn = aws_lb_target_group.foo.arn
container_name = "mongo"
container_port = 8080
}
placement_constraints {
type = "memberOf"
expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
resource "aws_ecs_service" "negative1" {
name = "mongodb"
cluster = aws_ecs_cluster.foo.id
task_definition = aws_ecs_task_definition.mongo.arn
desired_count = 3
iam_role = aws_iam_role.foo.arn
depends_on = [aws_iam_role_policy.foo]
ordered_placement_strategy {
type = "binpack"
field = "cpu"
}
load_balancer {
target_group_arn = aws_lb_target_group.foo.arn
container_name = "mongo"
container_port = 8080
}
placement_constraints {
type = "memberOf"
expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
}
}