search

aws / amazon-ecs-init

Amazon Elastic Container Service RPM
http://aws.amazon.com/ecs
Apache License 2.0
199 stars 118 forks source link

Offhost ECS Agent Container Introspection is permanently enabled when primary NIC is not called eth0 #440

Closed jocado closed 2 years ago

jocado commented 2 years ago

Summary

On systems with primary network interface names that aren't eth0, access to the Container Introspection API is not restricted, even if ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS=true is set.

Description

We noticed that there was an externally available service running on hosts, an API with ECS task information. Anyone with IP connectivity to the host is able to query the ECS information.

On investigation, we found this is the ECS Agent Container Introspection API: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-introspection.html

It should be disabled bu default, and configurable via ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS

In our case it is not disabled by default, and the configuration parameter makes no difference.

When we dug into it, we that this is supposed to be controlled by an iptables rules on the INPUT chain of the filter table. However, the network interface name used in the rule is hard coded to the eth0: https://github.com/aws/amazon-ecs-init/blob/master/ecs-init/exec/iptables/iptables.go#L186-L194

The systems we are running the ECS Agent on [ for ECS Anywhere ] use Predictable Network Interface names, https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html , which is standard on most Linux distros now.

I think building the logic to determine which interface is the relevant one will be cumbersome for ECS Init, but making is configurable would be a pragmatic solution that will enable it for our use case, and fix what is a security issue for our deployment.

Probably something like: ECS_OFFHOST_INTROSPECTION_INTERFACE=blah0

Expected Behavior

Traffic to ECS Agent Container Introspection API should be blocked from external hosts

Observed Behavior

Traffic to ECS Agent Container Introspection API is allowed from external hosts

Environment Details

Ubuntu 20.04 ECS Init v1.52 Docker 19.03.13

Supporting Log Snippets

sharanyad commented 2 years ago

@jocado Thanks for reporting this. We have marked this as an enhancement and will work on supporting this.

jocado commented 2 years ago

Great - please let me know if you need any further information :+1:

sharanyad commented 2 years ago

This is now released as part of https://github.com/aws/amazon-ecs-init/releases/tag/v1.55.4-1, configurable via ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME. Closing the issue.

jocado commented 2 years ago

Great - thanks! I look forward to testing :+1: