This rule verifies if the readonlyRootFilesystem attribute is set to ‘true’ for containers within ECS Task Definitions. Enabling readonly access to the root filesystem enhances security by preventing unauthorized modifications or tampering with critical system files.
Replace containerName with the name of your container.
Save Changes: After adding the readonlyRootFilesystem configuration, save the changes to the Task Definition.
Update ECS Service: Go back to the ECS Cluster dashboard and navigate to the ECS Service associated with the Task Definition you just updated.
Update Service: Click on the service and then click on the “Update” button to force the service to use the latest Task Definition revision.
Verify Changes: Once the service has been updated, verify that the containers now have read-only access to the filesystem by checking the container logs or running commands inside the container.
By following these steps, you will be able to remediate the misconfiguration of ECS not having read-only access for containers in AWS Kubernetes using the AWS console.
Update the IAM policy attached to the IAM role associated with your ECS service to provide read-only access for containers. You can create a new IAM policy with the required permissions or update the existing policy. Here is an example of a policy that provides read-only access to ECS containers: