By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is it possible to create a QueueProcessingFargateService with read-only root filesystem with cdk?

0

AWS Foundational Security Best Practices v1.0.0 has a high risk check [ECS.5] ECS containers should be limited to read-only access to root filesystems. The remediation explains how to change this in the console. However, I haven't found a way to do this for a QueueProcessingFargateService using CDK.

If a QueueProcessingFargateService could be created without an image, this could have been solved by calling add_container on the task definition, but image is mandatory so that doesn't work.

Does anyone know if it is possible to create a QueueProcessingFargateService with read-only root filesystem and if so, how?

Topics
ServerlessContainersAWS Well-Architected Framework
Tags
AWS FargateAmazon Elastic Container ServiceContainersSecurity
Language
English
Knut
asked 2 years ago240 views
1 Answer
0
Accepted Answer

Hi @knut,

Thanks for posting your concern here at AWS re:Post.

So from the query I can understand that in corresponding to ECS.5 [1] you want to implement the same on Fargate Service using CDK. Please correct me if I have misunderstood your query here.

Post-investigating QueueProcessingFargateService Class, I don't see this is yet available for "ReadonlyRootFilesystem" Parameter. As it's a new change that requires time for CDK Team to review, you can always create new use-case requirement for QueueProcessingFargateService at: [2] so that development Team from CDK can have attention towards this.

Rest, if you have any follow-up queries or concerns, please feel free to raise a new Support Case at: https://support.console.aws.amazon.com/support/home

Thanks! Have an AWSome Day Ahead & Stay Safe!

profile pictureAWS
SUPPORT ENGINEER
Ramneek-Kalra
answered 2 years ago
  • Knut
    2 years ago

    Thank you for the answer. This confirmed my findings. I don't see that this is much of a risk in a QueueProcessingFargateService anyway since images are started and stopped fairly regularly. It's more the "High security risk" label in Security Hub that bothers me.

    I will ignore this in Security Hub for now.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content