iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon ECS allows you to run Docker containers within a Cluster using task definitions. The root filesystem of ECS containers, by default, may have read-write access, which could lead to the potential for containerized applications to modify critical files. This SOP ensures that ECS containers are configured with read-only access to their root filesystems, minimizing the risk of accidental or malicious modification of system files.

By limiting container access to read-only root filesystems, organizations can reduce the attack surface for containerized applications and ensure that containers only have the necessary permissions to operate.

Rationale:

Granting read-only access to ECS containers' root filesystems is a security best practice, as it limits the container's ability to modify the host OS or other critical files.This principle is based on the least privilege security model, ensuring containers only have access to what they absolutely need to function.

By setting containers to read-only filesystems, the following benefits are achieved:

• Security: Prevents unauthorized modification of system files by containerized applications.

• Integrity: Protects critical application files and settings from being tampered with.

• Compliance: Meets security standards and compliance requirements, such as CIS or SOC 2, for maintaining secure container environments.

Impact:

Pros:

• Improved Security: Restricting the filesystem access helps prevent containers from modifying the underlying operating system or other critical files.

• Reduced Attack Surface: Even if an attacker gains access to the container, they are limited in what they can change.

• Compliance: Helps to meet security requirements in regulatory frameworks like CIS, SOC 2, or PCI-DSS.

Cons:

• Application Constraints: Some applications may require write access to the filesystem, and they might not work properly with a read-only root filesystem.

• Configuration Complexity: Requires careful application design and task definition configuration to ensure containers can operate correctly without needing write access to the root filesystem.

Default Value:

By default, ECS containers have read-write access to their root filesystems unless specified otherwise in the task definition.

Pre-requisite:

• AWS IAM Permissions:

  • ecs:DescribeTaskDefinitions

  • ecs:UpdateTaskDefinition

  • ecs:CreateTaskDefinition

  • ecs:DescribeTasks

• AWS CLI installed and configured.

• Basic understanding of ECS task definitions, container security, and Docker filesystem configurations.

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to ECS under Services.

3. Go to Task Definitions and review the task definition for your ECS containers.

4. Check the container definition to verify that the readonlyRootFilesystem parameter is enabled (set to true).

   • ReadonlyRootFilesystem should be set to true to ensure the root filesystem is read-only.

5. If readonlyRootFilesystem is not set, update the task definition to enable it.

Using AWS CLI:

To describe the ECS task definition and check if the container is configured with a read-only root filesystem, run:

aws ecs describe-task-definition --task-definition <task-definition-name> --query 'taskDefinition.containerDefinitions[*].readonlyRootFilesystem'

Review the output to ensure that readonlyRootFilesystem is set to true.

 Example output:

[

  {

    "readonlyRootFilesystem": true

  }

]

If the output shows false, update the task definition to enable read-only filesystem.

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console 

2. Navigate to ECS.

3. In the ECS Dashboard, go to Task Definitions.

4. Select the task definition you wish to modify or create a new revision.

5. Under the container definitions, select the container you want to modify.

6. In the Filesystem section, enable the readonlyRootFilesystem option.

7. Save the changes to register the updated task definition.

8. Deploy the task definition to your ECS service or cluster.

Using AWS CLI:

To create a new ECS task definition with a read-only root filesystem, run:

aws ecs register-task-definition \

  --family <task-family> \

  --container-definitions '[{

      "name": "my-container",

      "image": "my-image",

      "memory": 512,

      "cpu": 256,

      "readonlyRootFilesystem": true,

      "essential": true

  }]'

To update an existing task definition to enable read-only root filesystem, use:

aws ecs update-task-definition \

  --task-definition <task-definition-name> \

  --readonlyRootFilesystem true

Backout Plan:

If enabling the read-only root filesystem causes issues with the application:

Identify the affected task definition and container.

Revert the readonlyRootFilesystem option back to false by updating the task definition.

Use the following CLI command to deregister the task definition:

aws ecs deregister-task-definition --task-definition <task-definition-name>

Re-deploy using the previous working task definition.

Note:

• Some applications may require write access to specific directories. In those cases, you can specify a writable volume or configure Docker bind mounts for specific file paths that need to be written to while keeping the rest of the filesystem read-only.

• If running on Fargate, ensure that the ECS task definition uses Fargate launch type to benefit from the isolation provided by read-only root filesystems.

References:

• Amazon ECS Task Definitions Documentation

• AWS CLI: describe-task-definition

• AWS CLI: register-task-definition

CIS Controls Mapping: