ECS Exec vs read-only-root-filesystem

Hi,

We're evaluating moving our application deployments from Kubernetes to ECS, but one of the requirements we're struggling with in ECS is command execution. We experimented with ECS Exec, but it requires disabling the readonlyRootFilesystem security feature - see Using Amazon ECS Exec for debugging:

The SSM agent requires that the container file system is able to be written to in order to create the required directories and files. Therefore, making the root file system read-only using the readonlyRootFilesystem task definition parameter, or any other method, isn't supported.

How do ECS users typically deal with this tradeoff? Do you disable readonlyRootFilesystem and find another security measure to mitigate its absence? Or do you forego ECS Exec and find another way to troubleshoot your containers, e.g. by adding more logging to your app?

Thanks,

Jim

Topics

Containers AWS Well-Architected Framework

Relevant content

ECS Exec error TargetNotConnectedException
AWS-User-3395749
asked 2 years ago
About file appending in ECS Exec
rePost-User-9867257
asked a year ago
AWS Batch: How to enable ECS Exec?
Anish
asked 7 months ago
How to set enable execute command on ecs fargate, blue/green deployment with code deploy?
bts
asked 6 months ago
How do I troubleshoot issues related to blue/green deployments in Amazon ECS?
AWS OFFICIALUpdated 2 years ago
Why is my Amazon ECS task stopped?
AWS OFFICIALUpdated 2 years ago
How can I get my Amazon ECS tasks running using the Amazon EC2 launch type to pass the Application Load Balancer health check in Amazon ECS?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot errors I receive when performing Amazon ECS Exec on my Fargate tasks?
AWS OFFICIALUpdated a year ago
How to customize audit logs in OpenSearch to see which queries were run by users?
EXPERT
Cathy W
published 2 months ago
How to deploy and start a new version of AWS Mainframe Modernization application from CI/CD pipeline?
EXPERT
Souma Suvra Ghosh
published 2 months ago