From a641169eeae85adcc31f04d9fbd0f2d8af9162fe Mon Sep 17 00:00:00 2001 From: "Joshua C. Forest" Date: Fri, 1 Sep 2023 10:36:00 -0400 Subject: [PATCH 1/3] solve the ECS.5 security hub error, root filesystem should be read only --- serverless-resources.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/serverless-resources.yml b/serverless-resources.yml index 8766957..3496c4c 100644 --- a/serverless-resources.yml +++ b/serverless-resources.yml @@ -147,6 +147,7 @@ rBuildsBatchJobDefinitionUbuntu2004: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:ubuntu-2004" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionUbuntu2204: @@ -161,6 +162,7 @@ rBuildsBatchJobDefinitionUbuntu2204: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:ubuntu-2204" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionDebian10: @@ -175,6 +177,7 @@ rBuildsBatchJobDefinitionDebian10: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-10" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionDebian11: @@ -189,6 +192,7 @@ rBuildsBatchJobDefinitionDebian11: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-11" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionDebian12: @@ -203,6 +207,7 @@ rBuildsBatchJobDefinitionDebian12: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-12" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionCentos7: @@ -217,6 +222,7 @@ rBuildsBatchJobDefinitionCentos7: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:centos-7" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionCentos8: @@ -231,6 +237,7 @@ rBuildsBatchJobDefinitionCentos8: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:centos-8" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionRhel9: @@ -245,6 +252,7 @@ rBuildsBatchJobDefinitionRhel9: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:rhel-9" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionOpensuse154: @@ -259,6 +267,7 @@ rBuildsBatchJobDefinitionOpensuse154: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:opensuse-154" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionFedora37: @@ -273,6 +282,7 @@ rBuildsBatchJobDefinitionFedora37: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:fedora-37" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 rBuildsBatchJobDefinitionFedora38: @@ -287,6 +297,7 @@ rBuildsBatchJobDefinitionFedora38: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:fedora-38" + ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 From dab250f9cb9740bc7180acb14c3c66cd707eb3ef Mon Sep 17 00:00:00 2001 From: "Joshua C. Forest" Date: Fri, 1 Sep 2023 10:40:06 -0400 Subject: [PATCH 2/3] explicitly set privileged=False to attempt to quiet security hub finding ECS.1 --- serverless-resources.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/serverless-resources.yml b/serverless-resources.yml index 3496c4c..9b651e5 100644 --- a/serverless-resources.yml +++ b/serverless-resources.yml @@ -147,6 +147,7 @@ rBuildsBatchJobDefinitionUbuntu2004: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:ubuntu-2004" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -162,6 +163,7 @@ rBuildsBatchJobDefinitionUbuntu2204: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:ubuntu-2204" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -177,6 +179,7 @@ rBuildsBatchJobDefinitionDebian10: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-10" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -192,6 +195,7 @@ rBuildsBatchJobDefinitionDebian11: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-11" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -207,6 +211,7 @@ rBuildsBatchJobDefinitionDebian12: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-12" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -222,6 +227,7 @@ rBuildsBatchJobDefinitionCentos7: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:centos-7" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -237,6 +243,7 @@ rBuildsBatchJobDefinitionCentos8: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:centos-8" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -252,6 +259,7 @@ rBuildsBatchJobDefinitionRhel9: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:rhel-9" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -267,6 +275,7 @@ rBuildsBatchJobDefinitionOpensuse154: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:opensuse-154" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -282,6 +291,7 @@ rBuildsBatchJobDefinitionFedora37: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:fedora-37" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -297,6 +307,7 @@ rBuildsBatchJobDefinitionFedora38: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:fedora-38" + Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 From dc89efcd1c947fda2de7fd571b3fdf2112f6ef05 Mon Sep 17 00:00:00 2001 From: "Joshua C. Forest" Date: Fri, 1 Sep 2023 11:00:45 -0400 Subject: [PATCH 3/3] It turns out we can't fix ECS.1 as far as I can tell, we cannot change the networkmode at all unless we're using eks. https://docs.aws.amazon.com/batch/latest/userguide/job_definition_parameters.html Revert "explicitly set privileged=False to attempt to quiet security hub finding ECS.1" This reverts commit dab250f9cb9740bc7180acb14c3c66cd707eb3ef. --- serverless-resources.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/serverless-resources.yml b/serverless-resources.yml index 9b651e5..3496c4c 100644 --- a/serverless-resources.yml +++ b/serverless-resources.yml @@ -147,7 +147,6 @@ rBuildsBatchJobDefinitionUbuntu2004: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:ubuntu-2004" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -163,7 +162,6 @@ rBuildsBatchJobDefinitionUbuntu2204: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:ubuntu-2204" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -179,7 +177,6 @@ rBuildsBatchJobDefinitionDebian10: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-10" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -195,7 +192,6 @@ rBuildsBatchJobDefinitionDebian11: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-11" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -211,7 +207,6 @@ rBuildsBatchJobDefinitionDebian12: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:debian-12" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -227,7 +222,6 @@ rBuildsBatchJobDefinitionCentos7: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:centos-7" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -243,7 +237,6 @@ rBuildsBatchJobDefinitionCentos8: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:centos-8" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -259,7 +252,6 @@ rBuildsBatchJobDefinitionRhel9: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:rhel-9" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -275,7 +267,6 @@ rBuildsBatchJobDefinitionOpensuse154: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:opensuse-154" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -291,7 +282,6 @@ rBuildsBatchJobDefinitionFedora37: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:fedora-37" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200 @@ -307,7 +297,6 @@ rBuildsBatchJobDefinitionFedora38: JobRoleArn: "Fn::GetAtt": [ rBuildsEcsTaskIamRole, Arn ] Image: "#{AWS::AccountId}.dkr.ecr.#{AWS::Region}.amazonaws.com/r-builds:fedora-38" - Privileged: false ReadOnlyRootFilesystem: true Timeout: AttemptDurationSeconds: 7200