search

hashicorp / terraform-aws-consul-ecs

Consul Service Mesh on AWS ECS (Elastic Container Service)
https://www.consul.io/docs/ecs
Mozilla Public License 2.0
52 stars 31 forks source link

acl-controller has write permissions to root file system #157

Closed v-rosa closed 1 year ago

v-rosa commented 1 year ago

By default the task definition readonlyRootFilesystem is set to false. If not set to true, it will grant write permissions to the root file system. Could you clarify if write permission is needed for the acl-controller?

This triggers the following AWS Security Hub alert:

[ECS.5] This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to ‘false’. Remediation instructions

pglass commented 1 year ago

Thanks for pointing this out. The ACL controller should not need to write any files, so it should be safe to update that setting to read only.

v-rosa commented 1 year ago

Awesome, I can open a PR for this