ECS Service admin role is present

ID

aws_ecs_service_admin_role

Severity

high

Vendor

AWS

Resource

IAM

Tags

reachable

Description

ECS Service admin role is present. It is contradictory with least-privilege access. It is insecure because the role has more permissions than necessary.

Learn more about this topic at AWS ECS Service role parameter.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create ECS service on VPC network
      community.aws.ecs_service:
        state: present
        name: console-test-service
        cluster: new_cluster
        task_definition: 'new_cluster-task:1'
        desired_count: 0
        role: Admin
        network_configuration:
          subnets:
            - subnet-abcd1234
          security_groups:
            - sg-aaaa1111
            - my_security_group

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create ECS service on VPC network
      community.aws.ecs_service:
        state: present
        name: console-test-service
        cluster: new_cluster
        task_definition: 'new_cluster-task:1'
        desired_count: 0
        role: User
        network_configuration:
          subnets:
            - subnet-abcd1234
          security_groups:
            - sg-aaaa1111
            - my_security_group