💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems

ID: /frameworks/aws-fsbp-v1.0.0/ecs/05

Description

If the readonlyRootFilesystem parameter is set to true in an Amazon ECS task definition, the ECS container is given read-only access to its root file system. This reduces security attack vectors because the container instance's root file system can't be tampered with or written to without explicit volume mounts that have read-write permissions for file system folders and directories. Enabling this option also adheres to the principle of least privilege.

Similar

AWS Security Hub
- https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5
Internal
- ID: dec-c-437eb07b

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	32	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	65	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			36	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			27	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			22	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78	no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (1)

Policy	Logic Count	Flags	Compliance
🛡️ AWS ECS Task Definition Readonly Root Filesystem is disabled🟢	1	🟢 x6	no data

Description​

Similar​

Similar Sections (Give Policies To)​

Sub Sections​

Policies (1)​

Description

Similar

Similar Sections (Give Policies To)

Sub Sections

Policies (1)