HIPAA Security - Implement ecs-task-definition-user-for-host-mode-check config rule

[dontirun]

Summary

As a developer

I would like to implement the ecs-task-definition-user-for-host-mode-check config rule

So that I can check if qualified resources in my CDK app conforms to the following HIPAA Security control(s): 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1)

Details

ruleId: HIPAA.Security-ECSTaskDefinitionUserForHostMode

info: The ECS task definition is configured for host networking and has at least one container with definitions with 'privileged' set to false or empty or 'user' set to root or empty - (Control IDs: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1))

Given Reason: If a task definition has elevated privileges it is because the customer has specifically opted-in to those configurations. This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges.

Acceptance Criteria

If the rule can be implemented

Given a CDK app with a non-compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack does not deploy and the user receives an ERROR with relevant Control ID information about the non compliant resource

Given a CDK app with a compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack deploys and the user does not receive an ERROR about the compliant resource

Given the cdk-nag RULES file

• When the HIPAA.Security-ECSTaskDefinitionUserForHostMode rule is added to the rule pack
• Then the HIPAA Security Errors section is updated with the rule information

If the rule cannot be implemented

Given the cdk-nag RULES file

• When the ecs-task-definition-user-for-host-mode-check check is not added to the rule pack
• Then the HIPAA Security Excluded Rules section is updated with the check information