Restrict ECS Containers to Read-Only Access for Root Filesystems

Ensures ECS containers have read-only access to their root filesystems, minimizing the risk of accidental or malicious changes to the system.

Rule	ECS containers should be limited to read-only access to root filesystems
Framework	AWS Foundational Security Best Practices
Severity	✔ High

Rule Description:

AWS Foundational Security Best Practices recommend limiting ECS containers to read-only access to root filesystems to enhance security posture. By restricting write access to the root filesystem, the impact of any potential security breaches or misconfigurations is minimized, thereby reducing the risk of unauthorized modifications or data exfiltration.

Troubleshooting Steps:

If ECS containers are not configured for read-only access to root filesystems, follow these troubleshooting steps:

1.
Check the container definitions in the ECS task definitions to ensure that the
```
readonlyRootFilesystem
```
parameter is set to
```
true
```
.

2.
Verify that the IAM roles assigned to the ECS task have the necessary permissions to enforce read-only access.

3.
Check for any custom configurations or scripts that may be overriding the read-only setting.

Necessary Codes:

To enforce read-only access to root filesystems in ECS task definitions, include the following code snippet:

{
  "containerDefinitions": [
    {
      "name": "sample-container",
      "image": "sample-image",
      "readonlyRootFilesystem": true
    }
  ]
}

Remediation Steps:

Follow these step-by-step instructions to restrict ECS containers to read-only access to root filesystems:

1.
Open the Amazon ECS console.

2.
Click on "Task Definitions" in the navigation pane.

3.
Select the appropriate task definition that you want to modify.

4.
In the task definition, navigate to the container definition section.

5.
Edit the container definition to include
```
"readonlyRootFilesystem": true
```
.

6.
Save the task definition.

7.
Update the ECS service to use the modified task definition.

8.
Monitor the ECS service to ensure that containers are running with read-only access to the root filesystems.

By following these steps, you can ensure that ECS containers are limited to read-only access to root filesystems in alignment with AWS Foundational Security Best Practices.

Restrict ECS Containers to Read-Only Access for Root Filesystems

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Description:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule Description:

Troubleshooting Steps:

Necessary Codes:

Remediation Steps:

Is your System Free of Underlying Vulnerabilities?
Find Out Now