AWSOverview
Amazon ECS containers should be limited to read-only access to mounted root filesystems. This control only evaluates the in-use (RUNNING Task) revision of an Amazon ECS task definition.
Remediation guidance
Limiting container definitions to read-only access to root filesystems (classic Amazon ECS console)
-
Open the Amazon ECS classic console at https://console.aws.amazon.com/ecs/. Use the classic Amazon ECS console.
-
In the left navigation pane, choose Task Definitions.
-
For each task definition that has container definitions that need to be updated, do the following:
- Select the container definition that needs to be updated.
- Choose Edit Container. For Storage and Logging, select Read only root file system.
- Choose Update at the bottom of the Edit Container tab.
- Choose Create.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
ECS containers should be limited to read-only access to root filesystems
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(where: {task_NOT: null, containerSpecs_SOME: { readOnlyRootFS: false }}) {...AssetFragment}
}
