Closed jocado closed 2 years ago
@jocado Thanks for reporting this. We have marked this as an enhancement and will work on supporting this.
Great - please let me know if you need any further information :+1:
This is now released as part of https://github.com/aws/amazon-ecs-init/releases/tag/v1.55.4-1, configurable via ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME
.
Closing the issue.
Great - thanks! I look forward to testing :+1:
Summary
On systems with primary network interface names that aren't
eth0
, access to the Container Introspection API is not restricted, even ifECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS=true
is set.Description
We noticed that there was an externally available service running on hosts, an API with ECS task information. Anyone with IP connectivity to the host is able to query the ECS information.
On investigation, we found this is the ECS Agent Container Introspection API: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-introspection.html
It should be disabled bu default, and configurable via
ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS
In our case it is not disabled by default, and the configuration parameter makes no difference.
When we dug into it, we that this is supposed to be controlled by an iptables rules on the INPUT chain of the filter table. However, the network interface name used in the rule is hard coded to the
eth0
: https://github.com/aws/amazon-ecs-init/blob/master/ecs-init/exec/iptables/iptables.go#L186-L194The systems we are running the ECS Agent on [ for ECS Anywhere ] use Predictable Network Interface names, https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html , which is standard on most Linux distros now.
I think building the logic to determine which interface is the relevant one will be cumbersome for ECS Init, but making is configurable would be a pragmatic solution that will enable it for our use case, and fix what is a security issue for our deployment.
Probably something like:
ECS_OFFHOST_INTROSPECTION_INTERFACE=blah0
Expected Behavior
Traffic to ECS Agent Container Introspection API should be blocked from external hosts
Observed Behavior
Traffic to ECS Agent Container Introspection API is allowed from external hosts
Environment Details
Ubuntu 20.04 ECS Init v1.52 Docker 19.03.13
Supporting Log Snippets