AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-03-25 · Documentation low

File: securityhub/latest/userguide/ecs-controls.md

Summary

Updated ECS.5 control title and description to clarify it applies to task definitions configuring containers, and added note that readonlyRootFilesystem parameter is not supported for Windows containers (marked as NOT_APPLICABLE).

Security assessment

This change clarifies existing security control documentation by making the language more precise about task definitions and container configuration. The added note about Windows container support is a technical clarification that helps users understand control applicability, but there's no evidence this addresses a specific security vulnerability or incident.

Diff

diff --git a/securityhub/latest/userguide/ecs-controls.md b/securityhub/latest/userguide/ecs-controls.md
index 43db0f09c..db4046e99 100644
--- a//securityhub/latest/userguide/ecs-controls.md
+++ b//securityhub/latest/userguide/ecs-controls.md
@@ -5 +5 @@
-[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS containers should be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses[ECS.17] ECS task definitions should not use host network mode[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes[ECS.19] ECS capacity providers should have managed termination protection enabled[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions
+[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses[ECS.17] ECS task definitions should not use host network mode[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes[ECS.19] ECS capacity providers should have managed termination protection enabled[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions
@@ -131 +131 @@ To configure the `privileged` parameter on a task definition, see [Advanced cont
-## [ECS.5] ECS containers should be limited to read-only access to root filesystems
+## [ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems
@@ -147 +147 @@ To configure the `privileged` parameter on a task definition, see [Advanced cont
-This control checks whether an Amazon ECS container has read-only access to its root file system. The control fails if the `readonlyRootFilesystem` parameter is set to `false`, or the parameter doesn't exist in the container definition within the task definition. This control evaluates only the latest active revision of an Amazon ECS task definition.
+This control checks whether ECS task definitions configure containers to be limited to read-only access to mounted root file systems. The control fails if the `readonlyRootFilesystem` parameter in the container definitions of ECS task definition is set to `false`, or the parameter doesn't exist in the container definition within the task definition. This control evaluates only the latest active revision of an Amazon ECS task definition.
@@ -150,0 +151,4 @@ If the `readonlyRootFilesystem` parameter is set to `true` in an Amazon ECS task
+###### Note
+
+The `readonlyRootFilesystem` parameter is not supported for Windows containers. Task definitions with `runtimePlatform` configured to specify a `WINDOWS_SERVER` OS family are marked as `NOT_APPLICABLE` and will not generate findings for this control. 
+