ECS task definition does not mount the container's root filesystem as read-only Affecting ECS service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Containers/ Volumes

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-ControlsCSA-CCMNIST-800-53PCI-DSS
  • Snyk IDSNYK-CC-00149
  • creditSnyk Research Team

Description

Mounting the container's root filesystem as read-only reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.

How to fix?

In the container_definitions attribute, set readonlyRootFilesystem to true.

Example Configuration

resource "aws_ecs_task_definition" "valid_read_only_root_fs" {
  family = "valid_read_only_root_fs"

  container_definitions = <<EOF
[
  {
    "name": "valid_read_only_root_fs",
    "image": "hello-world",
    "memory": 128,
    "readonlyRootFilesystem": true
  }
]
EOF

  requires_compatibilities = ["EC2"]
}