Control: ECS containers should be limited to read-only access to root filesystems
Description
This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ecs_task_definition_container_readonly_root_filesystemSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ecs_task_definition_container_readonly_root_filesystem --shareSQL
This control uses a named query:
with privileged_container_definition as ( select distinct task_definition_arn as arn from aws_ecs_task_definition, jsonb_array_elements(container_definitions) as c where c ->> 'ReadonlyRootFilesystem' = 'true')select d.task_definition_arn as resource, case when c.arn is not null then 'ok' else 'alarm' end as status, case when c.arn is not null then d.title || ' containers limited to read-only access to root filesystems.' else d.title || ' containers not limited to read-only access to root filesystems.' end as reason , region, account_idfrom aws_ecs_task_definition as d left join privileged_container_definition as c on d.task_definition_arn = c.arn;