Description
This policy identifies AWS ECS Task Definitions in which the readonlyRootFilesystem parameter is set to false or omitted (which defaults to false) for any container.
When enabled, this parameter mounts the containerβs root file system as read-only.
Rationaleβ
Mounting the containerβs root file system as read-only is a security best practice aligned with immutable infrastructure principles.
Key benefits include:
- Immutability: Prevents application code and system files from being modified at runtime, reinforcing the expectation that containers are ephemeral and stateless.
- Malware Prevention: Limits an attackerβs ability to download scripts, install packages, or persist malicious binaries in common system directories.
- Configuration Drift Prevention: Ensures the running container cannot diverge from the original image definition.
If a container must write temporary data (e.g., logs, cache files), a dedicated tmpfs mount or a Docker volume should be used rather than allowing writes to the containerβs root layer.
Impactβ
Containers must be designed to write only to explicitly mounted volumes intended for temporary or persistent data. Applications that attempt to write to locations such as /var/log or /tmp will fail unless those paths are backed by writable mounts.
Auditβ
This policy marks an AWS ECS Task Definition as INCOMPLIANT if any related ECS Container Definition has the Readonly Root Filesystem parameter set to false.
Inactive Task Definitions are marked as INAPPLICABLE.