ECS task definition does not share the host's process namespace with its containers
ecs_task_definitions_host_namespace_not_shared
ECS task definitions where pidMode is host are configured to share the host's process namespace with containers, rather than using isolated task or private namespaces.
Risk
Host PID sharing lets containers view and interact with host processes, eroding isolation.
- Confidentiality: process enumeration and metadata leakage
- Integrity/Availability: signal or
ptracetampering, killing services
Enables lateral movement and privilege escalation from a compromised container.
prowler aws --checks ecs_task_definitions_host_namespace_not_shared
Recommendation
Prefer isolated PID namespaces: set pidMode=task or use the default per-container namespace. Avoid host PID sharing except for tightly controlled diagnostics.
Apply least privilege: non-root users, minimal capabilities, read-only filesystems; and defense in depth with network and runtime controls.
Remediation
aws ecs register-task-definition --family <example_resource_name> --pid-mode task --container-definitions '[{"name":"<container-name>","image":"<image>"}]'
- In the AWS Console, go to Amazon ECS > Task Definitions
- Select the task definition and click Create new revision
- Set Process namespace sharing (PID mode) to Task (not Host)
- Save the new revision
- (If the previous Host PID revision remains active) Select that revision and click Deregister
Source Code
Resource Type
AwsEcsTaskDefinition
References