Is it possible to create a QueueProcessingFargateService with read-only root filesystem with cdk?

Question

AWS Foundational Security Best Practices v1.0.0 has a high risk check [ECS.5] ECS containers should be limited to read-only access to root filesystems. The remediation explains how to change this in the console. However, I haven't found a way to do this for a QueueProcessingFargateService using CDK.

If a QueueProcessingFargateService could be created without an image, this could have been solved by calling add_container on the task definition, but image is mandatory so that doesn't work.

Does anyone know if it is possible to create a QueueProcessingFargateService with read-only root filesystem and if so, how?

Accepted Answer

Hi @knut,

Thanks for posting your concern here at AWS re:Post.

So from the query I can understand that in corresponding to ECS.5 [[1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ecs-5)] you want to implement the same on Fargate Service using CDK. Please correct me if I have misunderstood your query here.

Post-investigating QueueProcessingFargateService Class, I don't see this is yet available for "ReadonlyRootFilesystem" Parameter. As it's a new change that requires time for CDK Team to review, you can always create new use-case requirement for QueueProcessingFargateService at: [[2](https://github.com/aws/aws-cdk/issues?q=is%3Aissue+is%3Aopen+label%3Afeature-request)] so that development Team from CDK can have attention towards this.

Rest, if you have any follow-up queries or concerns, please feel free to raise a new Support Case at: https://support.console.aws.amazon.com/support/home

Thanks! Have an AWSome Day Ahead & Stay Safe!

Is it possible to create a QueueProcessingFargateService with read-only root filesystem with cdk?

Relevanter Inhalt