By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Is it a best practice to run as non-root user - Fargate

0

I read through

  1. https://d1.awsstatic.com/whitepapers/AWS_Fargate_Security_Overview_Whitepaper.pdf
  2. https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html
  3. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

And yet I am still not 100% sure if the recommendation is to have the containers running as non-root on Fargate.

According to the whitepaper an ECS task's isolation is pretty good in Fargate. Additionally the task_definition_parameters developerguide only has warnings to use non-root user when using network-mode=host, which confused me when I compared that information to the best practice guide.

I've worked at several places and rarely saw a container running with a different user, unless the app required it. This means either best practices have were not followed or I am understanding things wrong.

Would someone be able to verify that for me? Thanks

asked a year ago2.8K views
1 Answer
1
Accepted Answer

Hi,

Best practice is to run as non-root user: see https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html

Run containers as a non-root user
You should run containers as a non-root user. By default, containers run as the root 
user unless the USER directive is included in your Dockerfile. The default Linux capabilities 
that are assigned by Docker restrict the actions that can be run as root, but only marginally. 
For example, a container running as root is still not allowed to access devices.

As part of your CI/CD pipeline you should lint Dockerfiles to look for the USER directive and fail the build if it's missin

External sources also recommend to run Fargate images as non-root: https://www.alertlogic.com/blog/aws-fargate-security-best-practices/

Best,

Didier

profile pictureAWS
EXPERT
answered a year ago
profile picture
EXPERT
reviewed 5 months ago
profile picture
EXPERT
reviewed a year ago
  • Much appreciated for the fast response!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions