Skip to content

Commit

Permalink
Add check on "initProcessEnabled" flag
Browse files Browse the repository at this point in the history
  • Loading branch information
toricls committed Apr 13, 2021
1 parent 98d1c33 commit cbc544b
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 11 deletions.
11 changes: 7 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,26 +84,29 @@ The IAM user/role you used for the `check-ecs-exec.sh` are not allowed to use th
Note that the `Condition` element of the IAM policy is not currently supported to evaluate by `check-ecs-exec.sh`.

7. **_🟡 Can I ExecuteCommand? | ssm:StartSession denied?: allowed_**
The result means your IAM user/role is allowed to do `ssm:StartSession` action to the ECS task. This check item won't block you to use ECS Exec, but we recommend you to limit access to the `ssm:StartSession` API, from the security and the principle of least privilege perspectives. See [the official documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-limit-access-start-session) for further details.
The result means your IAM user/role is allowed to do `ssm:StartSession` action to the ECS task. This check item won't block you to use ECS Exec, but we recommend you to limit access to the `ssm:StartSession` API, from the security and the principle of least privilege perspectives. See [the ECS official documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-limit-access-start-session) for further details.
Note that the `Condition` element of the IAM policy is not currently supported to evaluate by `check-ecs-exec.sh`.

8. **_🔴 Platform Version | 1.3.0 (Required: >= 1.4.0)_**
On AWS Fargate, `ECS Exec` requires the Platform version 1.4.0 or newer. If your ECS task is part of an ECS service, then you can update the platform version by specifying the `PlatformVersion` parameter for the `UpdateService` API. If your ECS task is a standalone task, then you need to re-run the ECS task with the `PlatformVersion` parameter specified for the `RunTask` API. See also [the migration guide from the previous PVs](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html#platform-version-migration).

9. **_🔴 ECS Agent Version | x.y.z (Required: >= 1.50.2)_**
You need to update the version of the ECS Container Agent for your EC2 instance where your ECS task runs. See [the official documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) for the details and how to update.
You need to update the version of the ECS Container Agent for your EC2 instance where your ECS task runs. See [the ECS official documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) for the details and how to update.

10. **_🔴 Exec Enabled for Task | NO_**
You need to enable the ECS Exec feature for your ECS service or your ECS standalone task. If your ECS task is part of an ECS service, then you can update the ECS by specifying the `EnableExecuteCommand` parameter for the `UpdateService` API. If your ECS task is a standalone task, then you need to re-run the ECS task with the `EnableExecuteCommand` parameter specified for the `RunTask` API.

11. **_🔴 Managed Agent Status | STOPPED (Reason: stopped-reason-here)_**
The managed agent for a container in your Task has stopped for some reasons. If you see this error again and again even after re-running your ECS task, then make sure you have other results from `check-ecs-exec.sh` are all green.

12. **_🔴 EC2 or Task Role | Not Configured"_ or _{serviceName}:{ActionName}: implicitDeny_**
12. **_🟡 Init Process Enabled | Disabled_**
This check item won't block you to use ECS Exec, but we recommend you to add the `initProcessEnabled` flag to your ECS task definition for each container to avoid having orphaned and zombie processes. See the "Considerations for using ECS Exec" in [the ECS official documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-considerations) for more details.

13. **_🔴 EC2 or Task Role | Not Configured"_ or _{serviceName}:{ActionName}: implicitDeny_**
Your ECS task needs a task role or an instance role of the underlying EC2 instance with some permissions for using SSM Session Manager at least. See the [IAM permissions required for ECS Exec](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-enabling-and-using) section and the [Enabling logging and auditing in your tasks and services](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-logging) section in the official documentation for the details.
Note that the `Condition` element of the IAM policy is not currently supported to evaluate by `check-ecs-exec.sh`.

13. **_🟡 SSM PrivateLink "com.amazonaws.(region).ssmmessages" not found_**
14. **_🟡 SSM PrivateLink "com.amazonaws.(region).ssmmessages" not found_**
The `check-ecs-exec.sh` found one or more VPC endpoints configured in the VPC for your task, so you **may** want to add an additional SSM PrivateLink for your VPC. Make sure your ECS task has proper outbound internet connectivity, and if it doesn't, then you **need** to configure an additional SSM PrivateLink for your VPC.

## Security
Expand Down
30 changes: 23 additions & 7 deletions check-ecs-exec.sh
Original file line number Diff line number Diff line change
Expand Up @@ -182,15 +182,15 @@ fi
## 3. CHECK CLUSTER AND TASK CONFIGURATIONS ##############################################
printf "\n"
printSectionHeaderLine
printf "${COLOR_DEFAULT}Configurations for ECS task and other resources\n"
printf "${COLOR_DEFAULT}Checks on ECS task and other resources\n"
printSectionHeaderLine
printf "${COLOR_DEFAULT}Region : ${AWS_REGION}\n"
printf "${COLOR_DEFAULT}Cluster: ${CLUSTER_NAME}\n"
printf "${COLOR_DEFAULT}Task : ${TASK_ID}\n"
printSectionHeaderLine
##########################################################################################

# 1. Checks on the cluster configurations
# 1. Checks on the cluster configurations (yellow)
describedClusterJson=$(${AWS_CLI_BIN} ecs describe-clusters \
--clusters "${CLUSTER_NAME}" \
--include CONFIGURATIONS \
Expand Down Expand Up @@ -279,7 +279,7 @@ if [[ ! "x${kmsKeyId}" = "xnull" ]]; then
| jq -r ".EvaluationResults[0].EvalDecision")
showEvalResult "${kmsGenerateDataKeyResult}" "${kmsGenerateDataKey}"
fi
## Check for ensuring "I cannot" call ssm:StartSession
## Check for ensuring "I cannot" call ssm:StartSession (yellow)
### See the "Limiting access to the Start Session action" section at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-limit-access-start-session
ssmStartSession="ssm:StartSession"
printf "${COLOR_DEFAULT} ${ssmStartSession} denied?: "
Expand Down Expand Up @@ -345,7 +345,7 @@ printf "${COLOR_DEFAULT}\n"
# 5. Check the managed agents' status
printf "${COLOR_DEFAULT} Managed Agent Status | "
if [[ "x${executeCommandEnabled}" = "xfalse" ]]; then
printf "${COLOR_DEFAULT}SKIPPED\n"
printf "${COLOR_YELLOW}SKIPPED\n"
else
printf "\n"
agentsStatus=$(echo "${describedTaskJson}" | jq -r ".tasks[0].containers[].managedAgents[].lastStatus")
Expand All @@ -365,11 +365,27 @@ else
done
fi

# 6. Check the task role permissions
# 6. Check the "initProcessEnabled" flag added in the task definition (yellow)
taskDefArn=$(echo "${describedTaskJson}" | jq -r ".tasks[0].taskDefinitionArn")
taskDefJson=$(${AWS_CLI_BIN} ecs describe-task-definition \
--task-definition "${taskDefArn}" \
--output json)
initEnabledList=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[].linuxParameters.initProcessEnabled")
idx=0
printf "${COLOR_DEFAULT} Init Process Enabled | ${taskDefArn}\n"
for enabled in $initEnabledList; do
containerName=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].name")
printf " $((idx+1)). "
case "${enabled}" in
*true* ) printf "${COLOR_GREEN}Enabled";;
*false* ) printf "${COLOR_YELLOW}Disabled";;
* ) printf "${COLOR_YELLOW}Disabled";;
esac
printf "${COLOR_DEFAULT} for \"${containerName}\" container\n"
idx=$((idx+1))
done

# 7. Check the task role permissions
taskRoleArn=$(echo "${taskDefJson}" | jq -r ".taskDefinition.taskRoleArn")

hasRole=true
Expand Down Expand Up @@ -499,8 +515,8 @@ else
fi
fi

# 7. Check existing VPC Endpoints (PrivateLinks) in the task VPC.
# If there is any VPC Endpoints configured for the task VPC, we assume you would need an additional SSM PrivateLink to be configured.
# 8. Check existing VPC Endpoints (PrivateLinks) in the task VPC.
# If there is any VPC Endpoints configured for the task VPC, we assume you would need an additional SSM PrivateLink to be configured. (yellow)
# TODO: In the ideal world, the script should simply check if the task can reach to the internet or not :)
taskNetworkingAttachment=$(echo "${describedTaskJson}" | jq -r ".tasks[0].attachments[0]")
taskVpcId=""
Expand Down

0 comments on commit cbc544b

Please sign in to comment.