🛡️ AWS ECS Task Definition Readonly Root Filesystem is disabled🟢

Contextual name: 🛡️ Task Definition Readonly Root Filesystem is disabled🟢
ID: /ce/ca/aws/ecs/task-definition-readonly-root-filesystem
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS ECS Task Definition
- 🔌 AWS ECS Container Definition - object.extracts.yaml
- 🔌 AWS ECS Task Definition - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [ECS.5] ECS containers should be limited to read-only access to root filesystems

Description

Description

This policy identifies AWS ECS Task Definitions in which the readonlyRootFilesystem parameter is set to false or omitted (which defaults to false) for any container.

When enabled, this parameter mounts the container’s root file system as read-only.

Rationale

Mounting the container’s root file system as read-only is a security best practice aligned with immutable infrastructure principles.

Key benefits include:

Immutability: Prevents application code and system files from being modified at runtime, reinforcing the expectation that containers are ephemeral and stateless.

Malware Prevention: Limits an attacker’s ability to download scripts, install packages, or persist malicious binaries in common system directories.

Configuration Drift Prevention: Ensures the running container cannot diverge from the original image definition.

If a container must write temporary data (e.g., logs, cache files), a dedicated tmpfs mount or a Docker volume should be used rather than allowing writes to the container’s root layer.

... see more

Remediation

Open File

Remediation

Update the ECS Task Definition to Read-Only Root Filesystem

Using the AWS CLI
Retrieve the existing task definition JSON
aws ecs describe-task-definition \
    --task-definition {{family-or-full-arn}} \
    --query 'taskDefinition' > task-def.json
Edit task-def.json

For every container in the containerDefinitions list, set readonlyRootFilesystem to true.
"containerDefinitions": [
    {
        "name": "my-app",
        "image": "my-image",
        "readonlyRootFilesystem": true,
        ...
    }
]   
Register the updated task definition
aws ecs register-task-definition --cli-input-json file://task-def.json
Update your ECS service to use the new task definition revision

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems			1	no data
💼 Cloudaware Framework → 💼 Secure Access			74	no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			27	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84	no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			18	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			27	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			18	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			183	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			122	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	27	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			31	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			22	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			18	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Remediation​

Remediation​

Update the ECS Task Definition to Read-Only Root Filesystem​

Using the AWS CLI​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Remediation

Remediation

Update the ECS Task Definition to Read-Only Root Filesystem

Using the AWS CLI

policy.yaml

Linked Framework Sections