ECS Fargate service uses the latest Fargate platform version
ecs_service_fargate_latest_platform_version
ECS Fargate services use the latest Fargate platform version via platformVersion=LATEST or an explicit value matching the current release for their platformFamily (Linux/Windows).
Risk
Running on an outdated platform leaves known CVEs in the kernel/runtime unpatched, risking:
- Confidentiality: data exposure via container escape
- Integrity: privilege escalation and tampering
- Availability: crashes/DoS and instability under load
Run this check with Prowler CLI
prowler aws --checks ecs_service_fargate_latest_platform_version
Recommendation
- Prefer
platformVersionLATESTto receive patches. - If pinning, monitor releases and redeploy quickly to the current version.
- Automate updates with staged rollouts in CI/CD.
- Apply defense in depth and least privilege to limit runtime exploit impact.
Remediation
CLI
aws ecs update-service --cluster <cluster-name> --service <service-name> --platform-version LATEST
Native IaC
Terraform
Other
- In the AWS Console, go to Amazon ECS
- Open your cluster and select the service
- Click Update
- Set Platform version to LATEST
- Click Update service (or Deploy) to apply
Source Code
Resource Type
AwsEcsService
References
- https://servian.dev/setting-up-fargate-for-ecs-exec-8f5cc8d7d80e
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform-fargate.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/ECS/platform-version.html
- https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-10