ECS task definition has all containers with read-only root filesystems
ecs_task_definitions_containers_readonly_access
Amazon ECS task definitions specify whether container root filesystems are read-only via readonlyRootFilesystem. Containers where this setting is absent or set to false effectively have write access to the root filesystem.
Risk
A writable root filesystem enables runtime tampering and persistence. Attackers can modify binaries or configs, drop implants, or delete critical files, degrading integrity and availability. Access to writable paths can also expose secrets and logs, eroding confidentiality and complicating incident response.
prowler aws --checks ecs_task_definitions_containers_readonly_access
Recommendation
Enforce readonlyRootFilesystem: true for containers.
- Grant write access only via specific volumes required by the app
- Apply least privilege and defense in depth: run as non-root, drop unnecessary capabilities, and keep images immutable so runtime writes aren't needed
Remediation
aws ecs register-task-definition --family <task-family> --container-definitions '[{"name":"<container-name>","image":"<image>","readonlyRootFilesystem":true}]'
- In the AWS Console, go to Amazon ECS > Task Definitions
- Select the task family <task-family> and click Create new revision
- For each container, edit and enable Read-only root filesystem (readonlyRootFilesystem = true)
- Click Create to register the new revision
- (If needed) Update services to use the new revision
Source Code
Resource Type
AwsEcsTaskDefinition
References