Is it a best practice to run as non-root user - Fargate

Question

I read through
1. https://d1.awsstatic.com/whitepapers/AWS_Fargate_Security_Overview_Whitepaper.pdf
2. https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html
3. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

And yet I am still not 100% sure if the recommendation is to have the containers running as non-root on **Fargate.**

According to the whitepaper an ECS task's isolation is pretty good in Fargate. Additionally the task_definition_parameters developerguide only has warnings to use non-root user when using network-mode=host, which confused me when I compared that information to the best practice guide.

I've worked at several places and rarely saw a container running with a different user, unless the app required it. This means either best practices have were not followed or I am understanding things wrong.

Would someone be able to verify that for me? Thanks

Accepted Answer

Hi,

Best practice is to run as non-root user: see https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html

```
Run containers as a non-root user
You should run containers as a non-root user. By default, containers run as the root 
user unless the USER directive is included in your Dockerfile. The default Linux capabilities 
that are assigned by Docker restrict the actions that can be run as root, but only marginally. 
For example, a container running as root is still not allowed to access devices.
```

As part of your CI/CD pipeline you should lint Dockerfiles to look for the USER directive and fail the build if it's missin

External sources also recommend to run Fargate images as non-root: https://www.alertlogic.com/blog/aws-fargate-security-best-practices/

Best,

Didier

Is it a best practice to run as non-root user - Fargate

Relevant content