🛡️ AWS ECS Fargate Service platform version is outdated🟢

• Contextual name: 🛡️ Fargate Service platform version is outdated🟢
• ID: /ce/ca/aws/ecs/fargate-service-version
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS ECS Service
  • 🔌 AWS ECS Service - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [ECS.10] ECS Fargate services should run on the latest Fargate platform version

Description

Open File

Description

This policy identifies AWS ECS Fargate Services that are configured with platform version 1.3.0.

AWS Fargate platform versions are immutable runtime environments. Version 1.3.0 is considered outdated compared to 1.4.0 and later, which include significant architectural and performance improvements.

Rationale

Running services on outdated platform versions prevents access to the latest features, performance optimizations, and security enhancements.

Impact

Upgrading to a newer platform version may require operational effort to ensure compatibility with existing tasks and configurations.

Audit

This policy marks an AWS ECS Fargate Service as INCOMPLIANT if the Platform Version is set to 1.3.0.

Inactive ECS Services and other non-Fargate services are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Update the ECS Service to Use the LATEST Platform Version

Before applying the update in production, ensure that your application is tested with the new platform version in a staging environment to verify compatibility.

Changing the platform version triggers a new service deployment.

Using the AWS CLI

aws ecs update-service \
    --cluster {{cluster-name}} \
    --service {{service-name}} \
    --platform-version LATEST

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.10] ECS Fargate services should run on the latest Fargate platform version			1		no data
💼 Cloudaware Framework → 💼 Infrastructure Modernization			21		no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	23		no data
💼 FedRAMP High Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)			8		no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			23		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		23		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)			8		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation	6	6	20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status		1	8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools			8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates		2	8		no data
💼 PCI DSS v3.2.1 → 💼 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.			6		no data
💼 PCI DSS v4.0.1 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates			6		no data
💼 PCI DSS v4.0 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates			6		no data