search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.06k stars 324 forks source link

Guidance: Security Hub ECS.5 | ECS containers should be limited to read-only access to root filesystems #588

Open willfarrell opened 2 months ago

willfarrell commented 2 months ago

I'm running the SSM Agent within a ECS Fargate task (https://github.com/willfarrell/aws-bastion). I'm trying to update it to meet AWS Security Hub ECS.5 (ECS containers should be limited to read-only access to root filesystems) that requires the task definition to have readonlyRootFilesystem: true.

I've added in /etc/amazon/ssm/seelog.xml with the below xml to have logs store /tmp.

<outputs formatid="fmtinfo">
   <console formatid="fmtinfo"/>
   <rollingfile type="size" filename="/tmp/amazon-ssm-agent.log" maxsize="30000000" maxrolls="5"/>
   <filter levels="error,critical" formatid="fmterror">
      <rollingfile type="size" filename="/tmp/errors.log" maxsize="10000000" maxrolls="5"/>
   </filter>
   <custom name="cloudwatch_receiver" formatid="fmtdebug" data-log-group="/aws/ecs/bastion"/>
</outputs>

However, it continue to send logs to the default location (/var/log/amazon/ssm/*.log) instead of /tmp/*.log. Not sure if this is a bug or a misconfiguration on my side. Any guidance would be appreciated.