ECS containers should be limited to read-only access to root filesystems
ecs_task_definitions_containers_readonly_access
This control checks if Amazon ECS containers are limited to read-only access to mounted root filesystems. The control fails if the readonlyRootFilesystem parameter is set to false or if the parameter doesn't exist in the container definition.
Risk
If ECS containers have write access to root filesystems, it increases the risk of filesystem tampering and exploitation of vulnerabilities, violating the principle of least privilege.
Run this check with Prowler CLI
prowler aws --checks ecs_task_definitions_containers_readonly_access
ARN template
arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}
Remediation
aws ecs register-task-definition --family <task-family> --container-definitions '[{"name":"<container-name>","image":"<image>","readonlyRootFilesystem":true}]'
https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5
Ensure that containers have read-only access to their root filesystems to limit write access and reduce the attack surface.
Source Code
References
Resource Type
AwsEcsTaskDefinition