Skill323 repo starsupdated today
cis-aws-compute-3.13
This skill audits Amazon ECS task definitions to verify that container images come from trusted sources approved by your organization, using AWS Console or CLI commands to inspect the image field in containerDefinitions. Apply this control when deploying ECS workloads to prevent vulnerabilities, malware, or unauthorized modifications from compromising containerized applications.
Install in Claude Code
Copygit clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-3.13 && cp -r /tmp/cis-aws-compute-3.13/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-3.13 ~/.claude/skills/cis-aws-compute-3.13Then start a new Claude Code session; the skill loads automatically.
Definition
SKILL.md
# Ensure only trusted images are used with Amazon ECS ## Description Ensure that only trusted container images from verified sources or private repositories are used with Amazon ECS to maintain the integrity and security of workloads. Note: This recommendation assumes that only the latest active revision of a task definition is in use. If older revisions are in use, apply the audit and remediation procedures to those revisions as needed. ## Rationale Using trusted images reduces the risk of vulnerabilities, malware, or unauthorized modifications compromising ECS tasks. ## Impact Minor costs for scanning, storage, and administrative effort to enforce policies and manage approved images. ## Audit Procedure ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Task definitions`. 3. Click the name of a task definition. 4. Click on the latest active revision of the task definition. 5. Click `JSON`. 6. For each element under `containerDefinitions`, ensure that `image` is set to an image trusted by your organization. 7. Repeat steps 1-6 for each task definition. ### Using AWS CLI Run the following command to list task definitions: ``` aws ecs list-task-definitions ``` For the latest revision of a task definition, run the following command: ``` aws ecs describe-task-definition --task-definition <task-definition-arn> --query 'taskDefinition.containerDefinitions[*].image' ``` Ensure that the command returns only images trusted by your organization. Repeat for each task definition. ## Expected Result All container images referenced in task definitions should be from trusted sources (e.g., private ECR repositories, verified Docker Hub images, or organization-approved registries). ## Remediation ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Task definitions`. 3. Click the name of a task definition. 4. Click on the latest active revision of the task definition. 5. Click `Create new revision`. 6. Click `Create new revision with JSON`. 7. For each element under `containerDefinitions`, set `image` to an appropriate image trusted by your organization. 8. Repeat steps 1-7 for each task definition requiring remediation. Note: When a task definition is updated, running tasks launched from the previous task definition remain unchanged. Updating a running task requires redeploying it with the new task definition. ### Using AWS CLI No specific CLI remediation provided. Register a new task definition revision with trusted images using `aws ecs register-task-definition`. ## Default Value No default value. The image must be specified when creating a task definition. ## References 1. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-considerations.html 2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/list-task-definitions.html 3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-task-definition.html ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | ----------------------------------------------------- | ---- | ---- | ---- | | v8 | 2.2 Ensure Authorized Software is Currently Supported | x | x | x | | v7 | 2.2 Ensure Software is Supported by Vendor | x | x | x | ## Profile Level 1 | Automated
More from this repository
cis-aws-compute-10.1Skill
Ensure Managed Platform updates is configured
cis-aws-compute-10.2Skill
Ensure Persistent logs is setup and configured to S3
cis-aws-compute-10.3Skill
Ensure access logs are enabled
cis-aws-compute-10.4Skill
Ensure that HTTPS is enabled on load balancer
cis-aws-compute-11.1Skill
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
cis-aws-compute-12.1Skill
Ensure AWS Config is Enabled for Lambda and Serverless
cis-aws-compute-12.10Skill
Ensure Lambda functions do not allow unknown cross account access via permission policies
cis-aws-compute-12.11Skill
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates