ECS Service Admin Role Is Present

  • Query id: 7db727c1-1720-468e-b80e-06697f71e09e
  • Query name: ECS Service Admin Role Is Present
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: ECS Service
  community.aws.ecs_service:
    state: present
    name: console-test-service
    cluster: new_cluster
    task_definition: 'new_cluster-task:1'
    desired_count: 0
    role: admin

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: ECS Service
  community.aws.ecs_service:
    state: present
    name: console-test-service
    cluster: new_cluster
    task_definition: new_cluster-task:1
    desired_count: 0