ECS task definitions should not share the host's process namespace
ecs_task_definitions_host_namespace_not_shared
This control checks if Amazon ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace.
Risk
Sharing the host's process namespace with containers exposes host processes, potentially allowing unauthorized access or manipulation of host-level processes, undermining container isolation.
Run this check with Prowler CLI
prowler aws --checks ecs_task_definitions_host_namespace_not_shared
ARN template
arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}
Remediation
aws ecs register-task-definition --family <task-family> --container-definitions '[{"name":"<container-name>","image":"<image>","pidMode":"task"}]'
https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-3
Avoid sharing the host's process namespace with containers to maintain process isolation and enhance security.
Source Code
References
Resource Type
AwsEcsTaskDefinition