lacework-global-376

Limit Elastic Container Service (ECS) containers to read-only access to root filesystems (Manual)

Description

Enabling the read-only root filesystem option reduces security attack vectors, as it is not possible to tamper with or write to the container instance's filesystem unless it has explicit read-write permissions on its filesystem folder and directories. This also adheres to the principle of least privilege.

Remediation

From the AWS console:

Log in to the AWS Management Console.
Click Services.
Select Containers > Elastic Container Service.
In the left hand pane, click Task definitions.
Select the task definition running a container without a read-only root filesystem.
Select the task definition revision and click Create new revision.
Under Container, set Read-only root filesystem to true.
Click Create.

From CLI:

Create a JSON file containing the container definition for use in the task definition, with readonlyRootFilesystem: true, then run the following command:

aws ecs register-task-definition --family <task_definition_name> --container-definitions <container_definition_json>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5

Limit Elastic Container Service (ECS) containers to read-only access to root filesystems (Manual)​

Description​

Remediation​

References​

Limit Elastic Container Service (ECS) containers to read-only access to root filesystems (Manual)

Description

Remediation

References