More Info:

This rule verifies if the readonlyRootFilesystem attribute is set to ‘true’ for containers within ECS Task Definitions. Enabling readonly access to the root filesystem enhances security by preventing unauthorized modifications or tampering with critical system files.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of ECS not having read-only access for containers in AWS Kubernetes using the AWS console, follow these steps:
  1. Access AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to ECS Cluster: Navigate to the ECS Cluster that you want to remediate the misconfiguration for.
  3. Select Task Definition: Select the Task Definition that is associated with the ECS service where you want to enforce read-only access for containers.
  4. Edit Task Definition: Click on the “Actions” dropdown menu and select “Create new revision” to create a new revision of the Task Definition.
  5. Update Container Definitions: In the Task Definition editor, locate the container definition for which you want to enforce read-only access.
  6. Update Container Configuration: In the container configuration section, add the following configuration to enforce read-only access: 
    {
    "name": "containerName",
    "readonlyRootFilesystem": true
}
    Replace containerName with the name of your container.
  7. Save Changes: After adding the readonlyRootFilesystem configuration, save the changes to the Task Definition.
  8. Update ECS Service: Go back to the ECS Cluster dashboard and navigate to the ECS Service associated with the Task Definition you just updated.
  9. Update Service: Click on the service and then click on the “Update” button to force the service to use the latest Task Definition revision.
  10. Verify Changes: Once the service has been updated, verify that the containers now have read-only access to the filesystem by checking the container logs or running commands inside the container.
By following these steps, you will be able to remediate the misconfiguration of ECS not having read-only access for containers in AWS Kubernetes using the AWS console.

To remediate the misconfiguration of ECS having read-only access for containers in AWS Kubernetes using AWS CLI, you can follow these steps:
  1. Identify the IAM role associated with your ECS service: 
    aws ecs describe-services --cluster <cluster-name> --services <service-name> --query 'services[0].role' --output text
  2. Update the IAM policy attached to the IAM role associated with your ECS service to provide read-only access for containers. You can create a new IAM policy with the required permissions or update the existing policy. Here is an example of a policy that provides read-only access to ECS containers: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeTasks",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeContainerInstances"
            ],
            "Resource": "*"
        }
    ]
}
  3. Attach the updated IAM policy to the IAM role associated with your ECS service: 
    aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://path/to/updated-policy.json
  4. Verify the changes by describing the IAM role policy: 
    aws iam get-role-policy --role-name <role-name> --policy-name <policy-name>
By following these steps, you can remediate the misconfiguration of ECS having read-only access for containers in AWS Kubernetes using AWS CLI.
To remediate the misconfiguration of ECS not having readonly access for containers in AWS Kubernetes using Python, you can follow these steps:
  1. Create an IAM Policy with readonly access for ECS containers:
import boto3

iam = boto3.client('iam')

policy_document = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks"
            ],
            "Resource": "*"
        }
    ]
}

response = iam.create_policy(
    PolicyName='ECSContainerReadonlyPolicy',
    PolicyDocument=json.dumps(policy_document)
)

policy_arn = response['Policy']['Arn']
  1. Attach the newly created IAM Policy to the ECS service role:
ecs = boto3.client('ecs')

ecs.update_service(
    cluster='your-cluster-name',
    service='your-service-name',
    taskDefinition='your-task-definition',
    role='ecsServiceRole',
    policy=policy_arn
)
  1. Verify the changes by checking the IAM policies attached to the ECS service role:
response = iam.list_attached_role_policies(
    RoleName='ecsServiceRole'
)

for policy in response['AttachedPolicies']:
    print(policy['PolicyName'])
By following these steps, you can remediate the misconfiguration of ECS not having readonly access for containers in AWS Kubernetes using Python.