what
- ECS default behavior is to have this left unset.
- This allows the container to run with the build-specificed
USER
in the Dockerfile (if set, root by default)
why
- The default behavior is to use the container's
USER
runtime. - Defaulting the runtime is a security gap as it can cause containers that were built to run as other users to suddenly start running as root when deployed with this module.
Note, this could break existing container environments running in the wild if they were inadvertently taking advantage of the root access.