AWS Config Rule: ECS Containers ReadOnly Access
ECS_CONTAINERS_READONLY_ACCESS
Ryan Ware
Last Update 7 months ago
Description: Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. The rule is NON_COMPLIANT if the readonlyRootFilesystem parameter in the container definition of ECSTaskDefinitions is set to ‘false’.
Trigger type: Configuration changes
AWS Region: All supported AWS regions except Asia Pacific (Jakarta) Region
How to Resolve Manually
This AWS Config Rule will check for a particular parameter within your ECS Container configuration, it is important to note that this AWS Config Rule only applies to Linux containers, as the parameter readonlyRootFilesystem is not supported for Windows containers.
To understand what this means, we should check out the AWS Documentation for ECS Container Definition:
readonlyRootFilesystem
When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API and the --read-only option to docker run.
It is important to understand that this parameter may not be part of your ECS Task Definition if you have constructed this using the AWS Console. There is however an option to create a new revision of your Task Definition using json, this is where understanding the above API reference comes in handy so we can see where it is expected to be and what the boolean true / false values mean.
If the parameter is missing, AWS Config will treat this as being non-compliant.
In order to rectify this, first we will need to head on over to our ECS Dashboard within AWS Console and choose Task Definitions. From here, create a new revision using .json mode:
In the containerDefinitions we can see here on line 22 we have added the following line of code;
"readonlyRootFilesystem": true,
This as the API documentation states will ensure that the root file system is read-only and thus making your ECS Task Definition compliant with this particular AWS Config Rule
Note: Unless this parameter is specifically set and value is true, this Config Rule will mark any ECS Task Definition as non-compliant
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here