Profile Applicability:

  • Level 1

Description:

Amazon ECS Fargate is a serverless compute engine for containers that automatically manages the underlying infrastructure for containers. Each ECS Fargate task runs on a Fargate platform version, which provides the environment and capabilities for container execution. This SOP ensures that ECS Fargate services are running on the latest platform version to take advantage of the newest features, bug fixes, and security updates provided by AWS.

The platform version determines the runtime environment and capabilities for ECS tasks, so it’s important to ensure that the ECS Fargate services are always using the latest platform version for optimal performance, stability, and security.

Rationale:

Running ECS Fargate services on the latest platform version ensures:

  • Security: Latest platform versions include security patches and fixes for known vulnerabilities.

  • Performance: AWS continually improves the Fargate platform to enhance performance and support new features.

  • Reliability: The latest platform version ensures that your containers are running on the most stable and tested version of the Fargate infrastructure.

  • Compliance: Using the latest version helps meet security and compliance requirements for your containerized applications.

Impact:

Pros:

  • Improved Security: Benefits from the latest security patches and fixes.

  • Access to New Features: Gain access to new capabilities, such as performance enhancements, integrations, and optimizations in the Fargate platform.

  • Increased Reliability: Running on the most recent platform ensures that you benefit from the latest bug fixes and updates.

  • Compliance: Helps ensure your service meets regulatory and compliance standards.

Cons:

  • Application Compatibility: In rare cases, the new platform version may have changes that could impact application compatibility. Thorough testing is required before upgrading.

  • Operational Overhead: Ensuring that all services are running on the latest platform version may require periodic review and updates.

Default Value:

By default, ECS Fargate services are often set to use the LATEST platform version, but this can be explicitly set to an older version if required.

Pre-requisite:

  • AWS IAM Permissions:

    • ecs:DescribeServices

    • ecs:UpdateService

    • ecs:DescribeTaskDefinitions

  • AWS CLI installed and configured.

  • Basic understanding of ECS Fargate services, platform versions, and task definitions.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ECS under Services.

                   

  1. In the ECS Dashboard, go to Clusters and select the ECS cluster that contains the Fargate service.

                   

  1. Select the service and review the Service details.

               

  • In the Task Definition section, check the Platform Version.

  • Ensure that it is set to LATEST (or the most recent available platform version)

             

  1. If not set to LATEST, update the service to use the latest platform version.

Using AWS CLI:

To describe the ECS service and check the platform version, run:

aws ecs describe-services --cluster <cluster-name> --services <service-name> --query 'services[*].platformVersion

The expected output should indicate the platform version as LATEST. Example output:

[

  {

    "platformVersion": "LATEST"

  }

]

  1. If the platform version is not LATEST, update the ECS service to use the latest platform version.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to ECS.

  2. In the ECS Dashboard, select Clusters and choose the cluster where the Fargate service is located.

  3. Select the service that needs updating.

  4. Under Service Configuration, find the Platform Version setting.

                     

  1. Ensure that Platform Version is set to LATEST.

                 

  1. If not, click Update to change the Platform Version to LATEST and save the changes.

Using AWS CLI:

To update an ECS Fargate service to use the LATEST platform version, run:

aws ecs update-service --cluster <cluster-name> --service <service-name> --platform-version LATEST

Verify that the update was successful by running:

aws ecs describe-services --cluster <cluster-name> --services <service-name> --query 'services[*].platformVersion'

Backout Plan:

If updating to the latest Fargate platform version causes issues with the ECS service:

Identify the affected ECS service.

Rollback to the previous platform version by running:

aws ecs update-service --cluster <cluster-name> --service <service-name> --platform-version <previous-version>

Verify that the ECS service is back to the previous platform version by running:

aws ecs describe-services --cluster <cluster-name> --services <service-name> --query 'services[*].platformVersion'

Test the service to ensure it is functioning correctly with the previous platform version.

Note:

  • Testing: Ensure you thoroughly test your ECS services after upgrading to the latest platform version, especially if any changes to the underlying infrastructure or runtime environment might affect the application.

  • Monitoring: Set up CloudWatch monitoring to track the health and performance of ECS tasks and services after the platform version update.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.