7777 Task Definition to follow AWS Foundational Security Best Practices

[nandogameiro]

Hey there,

We've been using 7777 on our AWS accounts and after enabling Security Hub we started to get alerts showing the Task Definition created by 7777 cli command violates the ECS.5 rule of AWS Foundational Security Best Practices with severity HIGH

https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5

This control checks if Amazon ECS containers are limited to read-only access to mounted root filesystems. The control fails if the readonlyRootFilesystem parameter is set to false or if the parameter doesn't exist in the container definition within the task definition. This control only evaluates the latest active revision of an Amazon ECS task definition.

Enabling this option reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. This control also adheres to the principle of least privilege.

Wondering if you guys could sort this to get your tool compliant with this Best Practice ?

Thank you

[mnapoli]

Hey, sorry for the late response. We discussed it in Slack, here's a quick summary: this would require some changes to the existing design. We're definitely taking note of this though.