How to Protect ECS Containers with a Read-Only Root Filesystem

After enabling AWS Security Hub, I found several security risks related to ECS task definitions. Among them, I addressed the issue of containers lacking read-only access to their root filesystems. Here, I’ll explain the problem and the steps I took to resolve it.

The Issue

Here’s the security risk identified by Security Hub:

ECS containers should be limited to read-only access to root filesystems

This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to ‘false’.

Explanation

The warning highlights that the ReadonlyRootFilesystem parameter in the ECS task definition is set to false, allowing write access to the container’s root filesystem. This poses several security risks, such as:

1. Tampering with system configuration files

   • Example: /etc/hosts or /etc/passwd could be modified by an attacker, leading to DNS resolution changes or unauthorized user account modifications.

2. Alteration of executable files

   • Example: Modifications to /usr/bin/node or /bin/sh could allow malicious code execution.

3. Resource exhaustion due to inappropriate write operations

   • Example: Excessive logs or temporary files written to /var/log or /dev/shm could deplete memory or storage resources.

The Solution

1. Enable ReadonlyRootFilesystem

To enforce a read-only root filesystem, add the following line to the containerDefinitions section of your ECS task definition:

"readonlyRootFilesystem": true

This ensures the container's root filesystem is read-only, preventing unauthorized writes and tampering.

2. Handle Temporary File Requirements

Some applications may require write access for logging or temporary data processing. In such cases, you can configure specific directories, such as /tmp, to allow write access.

Here’s how to set it up in your ECS task definition:

Define a Volume

For Fargate environments, leave the host option empty. Fargate will automatically use its ephemeral storage.

"volumes": [
  {
    "name": "temp-storage",
    "host": {}
  }
]

Mount the Volume to /tmp

Next, mount the defined volume to the /tmp directory within the container and enable write access:

"mountPoints": [
  {
    "sourceVolume": "temp-storage",
    "containerPath": "/tmp",
    "readOnly": false
  }
]

This setup restricts write access to the /tmp directory while keeping the rest of the root filesystem read-only.

Important Considerations

1. Adjust Application Write Operations
   
   If your application writes to specific locations (e.g., /var/log or /data), you’ll need to redirect these write operations to /tmp or another designated writable directory.

2. Standardize Logging
   
   To simplify operations and improve security, consider directing logs to stdout and integrating with external logging services such as Amazon CloudWatch Logs.