ECS Task Definitions Do Not Share the Host Process Namespace

Overview

This check verifies that your Amazon ECS task definitions do not share the host's process or IPC (inter-process communication) namespaces. When containers share the host namespace, they can see and interact with all processes running on the underlying host machine, creating a significant security risk.

By default, containers run in isolated namespaces. This check fails when pidMode or ipcMode is explicitly set to host in a task definition.

Risk

When task definitions enable host namespace sharing:

Container escape potential: A compromised container can see all host processes and potentially interact with them using system calls like ptrace
Information disclosure: Containers can enumerate processes running on the host, revealing sensitive information about other workloads
Service disruption: Malicious containers can send signals to kill or interfere with host processes
Privilege escalation: Access to host processes enables lateral movement and escalation attacks

Severity: High

Remediation Steps

Prerequisites

You need permission to view and update ECS task definitions. If you are updating a running service, you also need permission to update ECS services.

AWS Console Method

Open the Amazon ECS console
In the left navigation, click Task definitions
Select the task definition family that failed the check
Click the Latest revision to view its details
Click Create new revision (you cannot edit existing revisions)
Scroll down to the Environment section
Find Process namespace sharing (pidMode):
- Change from "Host" to "Task" (recommended) or leave blank for default isolation
Find IPC namespace sharing (ipcMode):
- Change from "Host" to "Task" or leave blank for default isolation
Click Create to save the new revision
If this task definition is used by a running service:
- Navigate to your ECS cluster
- Select the service using this task definition
- Click Update service
- Select the new revision
- Click Update to deploy

AWS CLI (optional)

List task definitions to identify affected resources

aws ecs list-task-definitions \
    --region us-east-1 \
    --status ACTIVE

Check the current configuration of a specific task definition

aws ecs describe-task-definition \
    --task-definition my-task-family \
    --region us-east-1 \
    --query 'taskDefinition.{pidMode:pidMode,ipcMode:ipcMode}'

Register a new secure revision

Create a JSON file (task-definition.json) with your task definition. Ensure pidMode and ipcMode are set to task (or omit them for default isolation):

{
  "family": "my-task-family",
  "pidMode": "task",
  "ipcMode": "task",
  "containerDefinitions": [
    {
      "name": "app",
      "image": "nginx:latest",
      "memory": 512,
      "essential": true
    }
  ]
}

aws ecs register-task-definition \
    --cli-input-json file://task-definition.json \
    --region us-east-1

Update a service to use the new revision

aws ecs update-service \
    --cluster my-cluster \
    --service my-service \
    --task-definition my-task-family \
    --region us-east-1

Deregister the insecure old revision (optional)

After confirming the new revision works correctly:

aws ecs deregister-task-definition \
    --task-definition my-task-family:1 \
    --region us-east-1

CloudFormation (optional)

Use this CloudFormation template to create a task definition with secure namespace settings:

AWSTemplateFormatVersion: '2010-09-09'
Description: ECS Task Definition with secure namespace configuration

Parameters:
  TaskFamily:
    Type: String
    Description: The name of the task definition family
    Default: my-secure-task

  ContainerImage:
    Type: String
    Description: The container image to use
    Default: nginx:latest

Resources:
  SecureTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: !Ref TaskFamily
      PidMode: task
      IpcMode: task
      RequiresCompatibilities:
        - EC2
      ContainerDefinitions:
        - Name: app
          Image: !Ref ContainerImage
          Memory: 512
          Essential: true

Outputs:
  TaskDefinitionArn:
    Description: ARN of the secure task definition
    Value: !Ref SecureTaskDefinition

Key properties:

PidMode: task - Containers share PID namespace within the task only, not with the host
IpcMode: task - Containers share IPC namespace within the task only, not with the host

Deploy the template:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name secure-ecs-task \
    --parameter-overrides TaskFamily=my-secure-task \
    --region us-east-1

Terraform (optional)

Use this Terraform configuration to create a task definition with secure namespace settings:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "task_family" {
  description = "The name of the task definition family"
  type        = string
  default     = "my-secure-task"
}

variable "container_image" {
  description = "The container image to use"
  type        = string
  default     = "nginx:latest"
}

resource "aws_ecs_task_definition" "secure_task" {
  family = var.task_family

  # Secure namespace configuration - use "task" instead of "host"
  pid_mode = "task"
  ipc_mode = "task"

  container_definitions = jsonencode([
    {
      name      = "app"
      image     = var.container_image
      memory    = 512
      essential = true
    }
  ])
}

output "task_definition_arn" {
  description = "ARN of the secure task definition"
  value       = aws_ecs_task_definition.secure_task.arn
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After creating a new task definition revision:

Go to the ECS Task Definitions console
Select your task definition
Under the Environment section, verify:
- Process namespace sharing shows "Task" or is blank (not "Host")
- IPC namespace sharing shows "Task" or is blank (not "Host")

CLI verification

aws ecs describe-task-definition \
    --task-definition my-task-family \
    --region us-east-1 \
    --query 'taskDefinition.{Family:family,Revision:revision,PidMode:pidMode,IpcMode:ipcMode}'

Expected output for a compliant task definition:

{
    "Family": "my-task-family",
    "Revision": 2,
    "PidMode": "task",
    "IpcMode": "task"
}

If PidMode or IpcMode is null or "task", the check will pass. If either shows "host", the check will fail.

Additional Resources

Notes

Fargate compatibility: The pidMode and ipcMode parameters are not supported for tasks running on AWS Fargate. Fargate tasks always use isolated namespaces by default, so this check typically applies only to EC2 launch type tasks.
Legitimate use cases: Some specialized workloads (like monitoring agents or debugging tools) may legitimately require host namespace access. If you have such a use case, document the business justification and implement compensating controls such as:
- Running containers as non-root users
- Dropping unnecessary Linux capabilities
- Using read-only root filesystems
- Restricting which container images can use host namespaces
Task-level sharing: Setting pidMode or ipcMode to task allows containers within the same task to share namespaces with each other (but not with the host). This is useful for sidecar patterns where containers need to communicate.
Service updates: Changing a task definition creates a new revision. Running services must be updated to use the new revision for the change to take effect.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

List task definitions to identify affected resources​

Check the current configuration of a specific task definition​

Register a new secure revision​

Update a service to use the new revision​

Deregister the insecure old revision (optional)​

Verification​

Additional Resources​

Notes​