11

ECS Config Rules

Last Update 4 months ago

AWS Config Rule: ECS Containers Non Privileged AWS Config Rule: ECS Container Insights Enabled AWS Config Rule: ECS No Environment Secrets AWS Config Rule: ECS Fargate Latest Platform Version AWS Config Rule: ECS Containers ReadOnly Access

AWS Config Rule: ECS Containers ReadOnly Access

ECS_CONTAINERS_READONLY_ACCESS

Ryan Ware

Last Update 6 months ago

Description: Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. The rule is NON_COMPLIANT if the readonlyRootFilesystem parameter in the container definition of ECSTaskDefinitions is set to ‘false’.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except Asia Pacific (Jakarta) Region

How to Resolve Manually

This AWS Config Rule will check for a particular parameter within your ECS Container configuration, it is important to note that this AWS Config Rule only applies to Linux containers, as the parameter readonlyRootFilesystem is not supported for Windows containers.


To understand what this means, we should check out the AWS Documentation for ECS Container Definition:


readonlyRootFilesystem
When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API and the --read-only option to docker run.

It is important to understand that this parameter may not be part of your ECS Task Definition if you have constructed this using the AWS Console. There is however an option to create a new revision of your Task Definition using json, this is where understanding the above API reference comes in handy so we can see where it is expected to be and what the boolean true / false values mean.


If the parameter is missing, AWS Config will treat this as being non-compliant.

In order to rectify this, first we will need to head on over to our ECS Dashboard within AWS Console and choose Task Definitions. From here, create a new revision using .json mode:

In the containerDefinitions we can see here on line 22 we have added the following line of code;


"readonlyRootFilesystem": true,

This as the API documentation states will ensure that the root file system is read-only and thus making your ECS Task Definition compliant with this particular AWS Config Rule


Note: Unless this parameter is specifically set and value is true, this Config Rule will mark any ECS Task Definition as non-compliant

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us