AWS ECS task definition is not configured with read-only access to container root filesystems
Description
This policy is checking to ensure that Elastic Container Service (ECS) containers are restricted to read-only access to root file systems. The policy's monitoring is primarily concerned with maintaining a high level of security for the system.
Allowing write access to the root file system can pose a high security risk. If a containerized application is compromised, it could enable an attacker to alter the root file system of the host machine, thus compromising the entire system or application. This could lead to significant data loss, system crashes, or a broader security breach. Therefore, it's essential to limit all ECS containers to read-only access to restrict the potential actions of a compromised container.
Code Example
resource "aws_ecs_task_definition" "task_definition" {
family = "service"
cpu = "256"
memory = "512"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
execution_role_arn = aws_iam_role.ecs_execution_iam_role.arn
container_definitions = <<DEFINITION
[
{
"name": "container",
"image": "http://dockr.io/example:latest",
"cpu": 256,
"memory": 512,
"essential": true,
"networkMode": "awsvpc",
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "awslogs-example",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "awslogs-example"
}
},
"mountPoints": [
{
"sourceVolume": "my_volume",
"containerPath": "/mnt/my_volume",
"readOnly": true
}
],
"readonlyRootFilesystem": true
}
]
DEFINITION
}Remediation
Terraform
- Resource: aws_ecs_task_definition
- Arguments: container_definitions.readonlyRootFilesystem
To fix the issue, you need to specify the `read_only` parameter for each one of your ECS containers in your terraform files. By setting this parameter to `true`, you guarantee that the ECS container will have read-only access to the root file system.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0383 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_336 |