Profile Applicability:

  • Level 1

Description:
 This rule ensures that the readonlyRootFilesystem parameter is enabled in Amazon ECS task definitions to restrict write access to the container's filesystem. By setting this parameter to true, the filesystem inside the container is made read-only by default, ensuring that no unauthorized modifications can be made unless specific read-write permissions are granted.

Rationale:
 Setting readonlyRootFilesystem to true minimizes security risks by preventing any unauthorized or unintended changes to the container's filesystem. This helps in securing the application, as malicious processes within the container cannot alter the filesystem, which could potentially lead to unauthorized access or compromise of the container.

Impact:
 Pros:

  • Improved security by ensuring that the container's filesystem remains immutable unless necessary permissions are granted.

  • Prevents unauthorized modifications within the container, helping mitigate the risk of attacks such as privilege escalation.

Cons:

  • Potential operational complexity: Some applications may require write access to the filesystem. In such cases, modifications to the task definition will be required.

  • Increased administrative effort to configure tasks that need specific write permissions.

Default Value:
 By default, readonlyRootFilesystem is set to false, which allows containers to write to their filesystem.

Pre-requisites:

  • AWS IAM permissions to manage ECS task definitions:
     ecs:DescribeTaskDefinition, ecs:UpdateTaskDefinition

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Task Definitions.

  3. Click the name of the task definition to review.

  4. Click on the latest active revision of the task definition.

  5. Click JSON to view the raw configuration.

  6. For each element under containerDefinitions, ensure that readonlyRootFilesystem is set to true.

  7. If readonlyRootFilesystem is set to false, refer to the remediation below.

  8. Repeat steps 1–7 for all task definitions across all AWS regions.

Using AWS CLI:

  1. Run the following command to list all task definitions:

    aws ecs list-task-definitions

  2. For each task definition, run the following command to describe it:

    aws ecs describe-task-definition --task-definition <task-definition-arn> --query 'taskDefinition.containerDefinitions[*].readonlyRootFilesystem'

  3. Ensure that the command returns true for the readonlyRootFilesystem field. If it returns false or is absent, refer to the remediation below.

  4. Repeat steps 1–3 for all task definitions and AWS regions.

Implementation Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Task Definitions.

  3. Click the name of the task definition to modify.

  4. Click on the latest active revision of the task definition.

  5. Click Create new revision.

  6. In the JSON editor, ensure that readonlyRootFilesystem is set to true:
    "readonlyRootFilesystem": true

  7. Click Create to save the new task definition

  8. Repeat steps 1–7 for any other task definitions requiring remediation.

Using AWS CLI:

  1. For each task definition that needs to be updated, run the following command to register a new task definition with readonlyRootFilesystem set to true:

    aws ecs register-task-definition \
  --family <task-family-name> \
  --container-definitions '[{"name": "container-name", "image": "image-name", "readonlyRootFilesystem": true}]'

  1. After updating the task definitions, redeploy the ECS tasks using the new task definition.

Backout Plan:

Using AWS Console:

  1. If issues arise after updating the task definitions, revert to the previous revision of the task definition where readonlyRootFilesystem was not set to true.

  2. Redeploy ECS tasks using the previous task definition.

Using AWS CLI:

  1. To restore the original configuration, run the following command to register a new task definition and remove the readonlyRootFilesystem setting or set it to false:

    aws ecs register-task-definition \
  --family <task-family-name> \
  --container-definitions '[{"name": "container-name", "image": "image-name", "readonlyRootFilesystem": false}]'

  1. Redeploy ECS tasks using the older task definition if necessary.

References:

  1. AWS ECS Task Definitions

  2. AWS ECS Task Definition Parameters

  3. AWS CLI: describe-task-definition

  4. AWS CLI: register-task-definition

CIS Controls:

Version

Control ID

Control Description

v8

4.1

Establish and maintain a secure configuration process by ensuring that ECS task definitions do not grant unnecessary write access to container filesystems, reducing the risk of unauthorized modifications.

v7

5.1

Establish secure configurations for ECS task definitions, ensuring that containers are secured by setting readonlyRootFilesystem to true to prevent unauthorized write access.