ECS Task Definition Invalid CPU or Memory
- Query id: f4c9b5f5-68b8-491f-9e48-4f96644a1d51
- Query name: ECS Task Definition Invalid CPU or Memory
- Platform: CloudFormation
- Severity: Low
- Category: Resource Management
- CWE: Ongoing
- URL: Github
Description¶
In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
ECSService:
Type: AWS::ECS::Service
DependsOn:
- Listener
Properties:
Role:
Ref: ECSServiceRole
TaskDefinition:
Ref: ECSTaskDefinition
DesiredCount: 1
LoadBalancers:
- TargetGroupArn:
Ref: TargetGroup
ContainerPort: 80
ContainerName: sample-app
Cluster:
Ref: ECSCluster
LaunchType: FARGATE
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name:
Ref: "AppName"
MountPoints:
- SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: 256
PortMappings:
- ContainerPort:
Ref: "AppContainerPort"
HostPort:
Ref: "AppHostPort"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: 4096
Essential: true
Volumes:
- Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"
taskdefinition2:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name:
Ref: "AppName2"
MountPoints:
- SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: 100
PortMappings:
- ContainerPort:
Ref: "AppContainerPort"
HostPort:
Ref: "AppHostPort"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: 4096
Essential: true
Volumes:
- Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"
Positive test num. 2 - json file
{
"Resources": {
"ECSService": {
"DependsOn": [
"Listener"
],
"Properties": {
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1,
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE"
},
"Type": "AWS::ECS::Service"
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Essential": true,
"Name": {
"Ref": "AppName"
},
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": 256,
"PortMappings": [
{
"ContainerPort": {
"Ref": "AppContainerPort"
},
"HostPort": {
"Ref": "AppHostPort"
}
}
],
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory": 4096
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
]
}
},
"taskdefinition2": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Memory": 4096,
"Essential": true,
"Name": {
"Ref": "AppName2"
},
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": 100,
"PortMappings": [
{
"ContainerPort": {
"Ref": "AppContainerPort"
},
"HostPort": {
"Ref": "AppHostPort"
}
}
],
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
]
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
ECSService:
Type: AWS::ECS::Service
DependsOn:
- Listener
Properties:
Role:
Ref: ECSServiceRole
TaskDefinition:
Ref: ECSTaskDefinition
DesiredCount: 1
LoadBalancers:
- TargetGroupArn:
Ref: TargetGroup
ContainerPort: 80
ContainerName: sample-app
Cluster:
Ref: ECSCluster
LaunchType: FARGATE
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name:
Ref: "AppName"
MountPoints:
- SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: 256
PortMappings:
- ContainerPort:
Ref: "AppContainerPort"
HostPort:
Ref: "AppHostPort"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: 512
Essential: true
Volumes:
- Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"ECSService": {
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE",
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1
},
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
]
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"PortMappings": [
{
"ContainerPort": {
"Ref": "AppContainerPort"
},
"HostPort": {
"Ref": "AppHostPort"
}
}
],
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory": 512,
"Essential": true,
"Name": {
"Ref": "AppName"
},
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": 256
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
]
}
}
}
}