AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-03-26 · Documentation low

File: securityhub/latest/userguide/ecs-controls.md

Summary

Updated ECS controls documentation with clearer security explanations, simplified remediation steps, and Config rule formatting changes

Security assessment

Enhanced documentation for security controls (read-only root filesystems, secrets management) but no evidence of addressing specific vulnerabilities

Diff

diff --git a/securityhub/latest/userguide/ecs-controls.md b/securityhub/latest/userguide/ecs-controls.md
index de4b73c8f..c6922abc9 100644
--- a/securityhub/latest/userguide/ecs-controls.md
+++ b/securityhub/latest/userguide/ecs-controls.md
@@ -9,3 +9 @@
-These Security Hub controls evaluate the Amazon Elastic Container Service (Amazon ECS) service and resources.
-
-These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These Security Hub controls evaluate the Amazon Elastic Container Service (Amazon ECS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -23 +21 @@ These controls may not be available in all AWS Regions. For more information, se
-**AWS Config rule:** [`ecs-task-definition-user-for-host-mode-check`](https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html)
+**AWS Config rule:** [ecs-task-definition-user-for-host-mode-check](https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html)
@@ -134 +132 @@ To configure the `privileged` parameter on a task definition, see [Advanced cont
-This control checks if Amazon ECS containers are limited to read-only access to mounted root filesystems. The control fails if the `readonlyRootFilesystem` parameter is set to `false` or if the parameter doesn't exist in the container definition within the task definition. This control only evaluates the latest active revision of an Amazon ECS task definition.
+This control checks whether an Amazon ECS container has read-only access to its root file system. The control fails if the `readonlyRootFilesystem` parameter is set to `false`, or the parameter doesn't exist in the container definition within the task definition. This control evaluates only the latest active revision of an Amazon ECS task definition.
@@ -136 +134 @@ This control checks if Amazon ECS containers are limited to read-only access to
-Enabling this option reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. This control also adheres to the principle of least privilege.
+If the `readonlyRootFilesystem` parameter is set to `true` in an Amazon ECS task definition, the ECS container is given read-only access to its root file system. This reduces security attack vectors because the container instance's root file system can't be tampered with or written to without explicit volume mounts that have read-write permissions for file system folders and directories. Enabling this option also adheres to the principle of least privilege.
@@ -140,16 +138 @@ Enabling this option reduces security attack vectors since the container instanc
-###### Limiting container definitions to read-only access to root filesystems
-
-  1. Open the Amazon ECS classic console at [https://console.aws.amazon.com/ecs/](https://console.aws.amazon.com/ecs/).
-
-  2. In the left navigation pane, choose **Task definitions**.
-
-  3. Select a task definition that has container definitions that need to be updated. For each, complete the following steps:
-
-     * From the drop down, choose **Create new revision with JSON**.
-
-     * Add the `readonlyRootFilesystem` parameter, and set it to `true` in the container definition within the task definition.
-
-     * Choose **Create**.
-
-
-
+To give an Amazon ECS container read-only access to its root file system, add the `readonlyRootFilesystem` parameter to the task definition for the container, and set the value for the parameter to `true`. For information about task definition parameters and how to add them to a task definition, see [Amazon ECS task definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) and [Updating a task definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html) in the _Amazon Elastic Container Service Developer Guide_.
@@ -171,6 +154 @@ Enabling this option reduces security attack vectors since the container instanc
-**Parameters:**
-
-  * secretKeys = `AWS_ACCESS_KEY_ID`,`AWS_SECRET_ACCESS_KEY`,`ECS_ENGINE_AUTH_DATA` (not customizable) 
-
-
-
+**Parameters:** `secretKeys`: `AWS_ACCESS_KEY_ID`,`AWS_SECRET_ACCESS_KEY`,`ECS_ENGINE_AUTH_DATA` (not customizable) 
@@ -220 +198 @@ To define a log configuration for your Amazon ECS task definitions, see [Specify
-**AWS Configrule:** [`ecs-fargate-latest-platform-version`](https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html)
+**AWS Config rule:** [ecs-fargate-latest-platform-version](https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html)
@@ -251 +229 @@ To update an existing service, including its platform version, see [Updating a s
-**AWS Configrule:** [`ecs-container-insights-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html)
+**AWS Config rule:** [ecs-container-insights-enabled](https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html)