lacework-global-376
Limit Elastic Container Service (ECS) containers to read-only access to root filesystems (Manual)
Description
Enabling the read-only root filesystem option reduces security attack vectors, as it is not possible to tamper with or write to the container instance's filesystem unless it has explicit read-write permissions on its filesystem folder and directories. This also adheres to the principle of least privilege.
Remediation
From the AWS console:
- Log in to the AWS Management Console.
- Click Services.
- Select Containers > Elastic Container Service.
- In the left hand pane, click Task definitions.
- Select the task definition running a container without a read-only root filesystem.
- Select the task definition revision and click Create new revision.
- Under Container, set Read-only root filesystem to true.
- Click Create.
From CLI:
Create a JSON file containing the container definition for use in the task definition, with readonlyRootFilesystem: true, then run the following command:
aws ecs register-task-definition --family <task_definition_name> --container-definitions <container_definition_json>
References
https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5