AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
ECS Should Have Readonly Access For Containers
More Info:
This rule verifies if the readonlyRootFilesystem attribute is set to ‘true’ for containers within ECS Task Definitions. Enabling readonly access to the root filesystem enhances security by preventing unauthorized modifications or tampering with critical system files.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of ECS not having read-only access for containers in AWS Kubernetes using the AWS console, follow these steps:
-
Access AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com/.
-
Navigate to ECS Cluster: Navigate to the ECS Cluster that you want to remediate the misconfiguration for.
-
Select Task Definition: Select the Task Definition that is associated with the ECS service where you want to enforce read-only access for containers.
-
Edit Task Definition: Click on the “Actions” dropdown menu and select “Create new revision” to create a new revision of the Task Definition.
-
Update Container Definitions: In the Task Definition editor, locate the container definition for which you want to enforce read-only access.
-
Update Container Configuration: In the container configuration section, add the following configuration to enforce read-only access:
{ "name": "containerName", "readonlyRootFilesystem": true }Replace
containerNamewith the name of your container. -
Save Changes: After adding the
readonlyRootFilesystemconfiguration, save the changes to the Task Definition. -
Update ECS Service: Go back to the ECS Cluster dashboard and navigate to the ECS Service associated with the Task Definition you just updated.
-
Update Service: Click on the service and then click on the “Update” button to force the service to use the latest Task Definition revision.
-
Verify Changes: Once the service has been updated, verify that the containers now have read-only access to the filesystem by checking the container logs or running commands inside the container.
By following these steps, you will be able to remediate the misconfiguration of ECS not having read-only access for containers in AWS Kubernetes using the AWS console.
To remediate the misconfiguration of ECS having read-only access for containers in AWS Kubernetes using AWS CLI, you can follow these steps:
-
Identify the IAM role associated with your ECS service:
aws ecs describe-services --cluster <cluster-name> --services <service-name> --query 'services[0].role' --output text -
Update the IAM policy attached to the IAM role associated with your ECS service to provide read-only access for containers. You can create a new IAM policy with the required permissions or update the existing policy. Here is an example of a policy that provides read-only access to ECS containers:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeTasks", "ecs:DescribeTaskDefinition", "ecs:DescribeContainerInstances" ], "Resource": "*" } ] } -
Attach the updated IAM policy to the IAM role associated with your ECS service:
aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://path/to/updated-policy.json -
Verify the changes by describing the IAM role policy:
aws iam get-role-policy --role-name <role-name> --policy-name <policy-name>
By following these steps, you can remediate the misconfiguration of ECS having read-only access for containers in AWS Kubernetes using AWS CLI.
To remediate the misconfiguration of ECS not having readonly access for containers in AWS Kubernetes using Python, you can follow these steps:
- Create an IAM Policy with readonly access for ECS containers:
import boto3
iam = boto3.client('iam')
policy_document = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeContainerInstances",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks"
],
"Resource": "*"
}
]
}
response = iam.create_policy(
PolicyName='ECSContainerReadonlyPolicy',
PolicyDocument=json.dumps(policy_document)
)
policy_arn = response['Policy']['Arn']
- Attach the newly created IAM Policy to the ECS service role:
ecs = boto3.client('ecs')
ecs.update_service(
cluster='your-cluster-name',
service='your-service-name',
taskDefinition='your-task-definition',
role='ecsServiceRole',
policy=policy_arn
)
- Verify the changes by checking the IAM policies attached to the ECS service role:
response = iam.list_attached_role_policies(
RoleName='ecsServiceRole'
)
for policy in response['AttachedPolicies']:
print(policy['PolicyName'])
By following these steps, you can remediate the misconfiguration of ECS not having readonly access for containers in AWS Kubernetes using Python.