Control: ECS containers should be limited to read-only access to root filesystems
Description
This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.ecs_task_definition_container_readonly_root_filesystemSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.ecs_task_definition_container_readonly_root_filesystem --shareSQL
This control uses a named query:
with task_with_readonly_root_filesystem as ( select distinct (address ) as name from terraform_resource, jsonb_array_elements( case when ((attributes_std ->> 'container_definitions') = '') then null else (attributes_std ->> 'container_definitions')::jsonb end ) as s where (s ->> 'ReadonlyRootFilesystem')::boolean and type = 'aws_ecs_task_definition' ) select r.address as resource, case when p.name is not null then 'ok' else 'alarm' end status, split_part(r.address, '.', 2) || case when p.name is not null then ' containers limited to read-only access to root filesystems' else ' containers not limited to read-only access to root filesystems' end || '.' reason , path || ':' || start_line from terraform_resource as r left join task_with_readonly_root_filesystem as p on p.name = r.address where type = 'aws_ecs_task_definition';