v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5 ECS containers should be limited to read-only access to root filesystems

Description

This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false.

Enabling this option reduces security attack vectors since the container instance’s filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. This control also adheres to the principle of least privilege.

Remediation

To limit container definitions to read-only access to root filesystems

  1. Open the Amazon ECS console.
  2. In the left navigation pane, choose Task Definitions.
  3. For each task definition that has container definitions that need to be updated, do the following:
    • Select the container definition that needs to be updated.
    • Choose Edit Container. For Storage and Logging, select Read only root file system.
    • Choose Update at the bottom of the Edit Container tab.
    • Choose Create.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ecs_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ecs_5 --share

SQL

This control uses a named query:

ecs_task_definition_container_readonly_root_filesystem

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = ecs_5
plugin = aws
service = AWS/ECS