amazon-ssm-agent icon indicating copy to clipboard operation
amazon-ssm-agent copied to clipboard
verified publisher icon aws

Guidance: Security Hub ECS.5 | ECS containers should be limited to read-only access to root filesystems

Open willfarrell opened this issue 1 year ago • 4 comments

I'm running the SSM Agent within a ECS Fargate task (https://github.com/willfarrell/aws-bastion). I'm trying to update it to meet AWS Security Hub ECS.5 (ECS containers should be limited to read-only access to root filesystems) that requires the task definition to have readonlyRootFilesystem: true.

I've added in /etc/amazon/ssm/seelog.xml with the below xml to have logs store /tmp.

<outputs formatid="fmtinfo">
   <console formatid="fmtinfo"/>
   <rollingfile type="size" filename="/tmp/amazon-ssm-agent.log" maxsize="30000000" maxrolls="5"/>
   <filter levels="error,critical" formatid="fmterror">
      <rollingfile type="size" filename="/tmp/errors.log" maxsize="10000000" maxrolls="5"/>
   </filter>
   <custom name="cloudwatch_receiver" formatid="fmtdebug" data-log-group="/aws/ecs/bastion"/>
</outputs>

However, it continue to send logs to the default location (/var/log/amazon/ssm/*.log) instead of /tmp/*.log. Not sure if this is a bug or a misconfiguration on my side. Any guidance would be appreciated.

willfarrell avatar Sep 12 '24 14:09 willfarrell

Have you restarted the agent for the seelog.xml to take effect?

Aperocky avatar Jan 19 '25 19:01 Aperocky

The seelog.xml is included in the container before it is run.

FROM --platform=linux/arm64/v8 amazonlinux:2023

WORKDIR /

RUN yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm

COPY ./seelog.xml /etc/amazon/ssm/
COPY ./docker-entrypoint.sh /

ENTRYPOINT ["/docker-entrypoint.sh"]

willfarrell avatar Jan 19 '25 23:01 willfarrell

Thanks for the report/update, we'll look into replicating/fixing.

Aperocky avatar Jan 20 '25 00:01 Aperocky