- Newest
- Most votes
- Most comments
Hello,
To address the AWS Security Hub issue regarding ECS containers having limited read-only access to the root filesystem while still allowing your application to write to specific files, you can follow these recommendations:
-
1.Use Docker Volumes: Mount volumes to specific directories where your application needs to write data instead of granting write access to the entire root filesystem.
-
2.Separate Writeable Directories: Identify and grant write access only to specific directories or files within the root filesystem that your application requires.
-
3.SSM Parameter Store for Secrets: Grant read-only access to SSM parameters containing secrets and fetch them at runtime.
-
4.Temporary Files: Utilize designated temporary directories like /tmp within the container for storing temporary files.
-
5.Configuration Management: Dynamically update configuration files at runtime using configuration management tools instead of modifying them directly during build time.
-
6.Least Privilege Principle: Follow the principle of least privilege by granting only the minimum necessary permissions to your application to ensure security while maintaining functionality.
Hello,
I would recommend setting readOnly inside the mount points of container definitions to false and test it if that helps to resolve the issue.
{
"family": "my-task",
"containerDefinitions": [
{
"name": "my-container",
"image": "my-image",
"essential": true,
"mountPoints": [
{
"sourceVolume": "my-volume",
"containerPath": "/app/config",
"readOnly": false
}
],
"readonlyRootFilesystem": true
}
],
"volumes": [
{
"name": "my-volume",
"host": {
"sourcePath": "/ecs/volumes/my-app-config"
}
}
]
}
Relevant content
- asked 4 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago