Profile Applicability:

  • Level 1

Description:
Ensure that Amazon ECS Fargate services use the latest Fargate platform version to benefit from the latest security enhancements, performance improvements, and feature updates.

Rationale:
 Using the latest Fargate platform version ensures that ECS services are protected with the latest security patches and new features, leading to better performance and minimizing the exposure to vulnerabilities.

Impact:
 Updating to the latest platform version may require minor operational changes, including updating service configurations. However, the benefits in terms of security and performance are significant.

Default Value:
 The platform version for Fargate services is set to LATEST by default.

Pre-requisites:

  • AWS IAM permissions to manage ECS services: ecs:UpdateServiceecs:DescribeServices

  • Access to AWS ECS Console or CLI

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. Click the name of a cluster.

  4. Under Services, from the Filter launch type drop-down menu, select FARGATE.

  5. Click the name of a service.

  6. Click Configuration and networking.

  7. Under Service configuration, ensure Platform version is set to 1.4.0 or LATEST for Linux, or 1.0.0 or LATEST for Windows.

  8. Repeat steps 1-7 for each ECS cluster and Fargate service.

Using AWS CLI:

  1. Run the following command to list clusters:

    aws ecs list-clusters

  2. Run the following command to list services in a cluster:

    aws ecs list-services --cluster <cluster-arn>

  3. Run the following command to view the details of a service:

    aws ecs describe-services --cluster <cluster-arn> --services <service-arn> --query 'services[*].[platformFamily,platformVersion]' --output table

  4. For Linux services, ensure platformVersion is 1.4.0 or LATEST. For Windows services, ensure platformVersion is 1.0.0 or LATEST.

  5. Repeat steps 1-4 for each cluster and service.

Implementation Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. Click the name of a cluster.

  4. Under Services, from the Filter launch type drop-down menu, select FARGATE.

  5. Click the name of a service.

  6. Click Update service.

  7. Expand the Compute configuration (advanced) section.

  8. Under Platform version, select LATEST from the drop-down menu.

  9. Click Update.

  10. Repeat steps 1-9 for each ECS cluster and Fargate service requiring remediation.

Using AWS CLI:

  1. For each service requiring remediation, run the following command to set platformVersion to LATEST:

    aws ecs update-service --cluster <cluster-arn> --service <service-arn> --platform-version LATEST

Backout Plan:

Using AWS Console:

  1. If issues arise after updating to the latest platform version, revert to the previous task definition with the older platform version.

  2. Redeploy ECS services using the older platform version.

Using AWS CLI:

  1. If problems arise, run the following command to revert to the previous platform version:

    aws ecs update-service --cluster <cluster-arn> --service <service-arn> --platform-version <previous-platform-version>


References:

  1. AWS ECS: Platform Version

  2. AWS CLI: List Clusters

  3. AWS CLI: List Services

  4. AWS CLI: Describe Services

  5. AWS CLI: Update Service

CIS Controls:

Version

Control ID

Control Description

v8

2.2

Ensure Authorized Software is Currently Supported: Ensure the software is supported and up-to-date to avoid vulnerabilities and ensure compatibility.

v7

2.2

Ensure Software is Supported by Vendor: Ensure that only currently supported software is used within the organization's authorized software inventory.