ECS Fargate Services Use the Latest Platform Version

Overview

This check verifies that your Amazon ECS Fargate services are running on the latest platform version. Fargate platform versions determine which kernel, container runtime, and AWS features are available to your containers. Using the latest version ensures you have access to the most recent security patches and features.

Risk

Running outdated Fargate platform versions exposes your services to known vulnerabilities that have been patched in newer versions. This can lead to:

• Container escape vulnerabilities that could expose sensitive data
• Privilege escalation allowing attackers to gain unauthorized access
• System instability and potential denial-of-service conditions

Keeping platform versions current is a fundamental security hygiene practice.

Remediation Steps

Prerequisites

You need permission to update ECS services in your AWS account (specifically ecs:UpdateService).

Required IAM permissions

To update ECS services, your IAM user or role needs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:UpdateService",
        "ecs:DescribeServices",
        "ecs:ListServices",
        "ecs:ListClusters"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon ECS console
2. Click Clusters in the left navigation
3. Select the cluster containing your Fargate service
4. Click the Services tab
5. Select the service you want to update
6. Click Update in the upper right
7. Under Deployment configuration, find Platform version
8. Select LATEST from the dropdown
9. Scroll down and click Update

The service will begin a rolling deployment with the new platform version. Tasks will be replaced gradually based on your deployment configuration.

AWS CLI (optional)

Update a single service to use the latest platform version:

aws ecs update-service \
  --cluster <your-cluster-name> \
  --service <your-service-name> \
  --platform-version LATEST \
  --region us-east-1

To update all Fargate services in a cluster:

# List all services in a cluster
CLUSTER_NAME="<your-cluster-name>"

# Get all service ARNs
SERVICES=$(aws ecs list-services \
  --cluster "$CLUSTER_NAME" \
  --region us-east-1 \
  --query 'serviceArns[]' \
  --output text)

# Update each service
for SERVICE in $SERVICES; do
  echo "Updating service: $SERVICE"
  aws ecs update-service \
    --cluster "$CLUSTER_NAME" \
    --service "$SERVICE" \
    --platform-version LATEST \
    --region us-east-1
done

Note: If your service uses the CODE_DEPLOY (blue/green) deployment controller, you cannot update the platform version using update-service. Instead, create a new CodeDeploy deployment with the updated platform version.

CloudFormation (optional)

Set PlatformVersion: LATEST in your AWS::ECS::Service resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: ECS Fargate Service with latest platform version

Parameters:
  ClusterName:
    Type: String
    Description: Name of the ECS cluster
  ServiceName:
    Type: String
    Description: Name of the ECS service
  TaskDefinitionArn:
    Type: String
    Description: ARN of the task definition
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Subnet IDs for the service
  SecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: Security group IDs for the service

Resources:
  ECSService:
    Type: AWS::ECS::Service
    Properties:
      ServiceName: !Ref ServiceName
      Cluster: !Ref ClusterName
      TaskDefinition: !Ref TaskDefinitionArn
      DesiredCount: 2
      LaunchType: FARGATE
      PlatformVersion: LATEST
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          Subnets: !Ref SubnetIds
          SecurityGroups: !Ref SecurityGroupIds
      DeploymentConfiguration:
        MaximumPercent: 200
        MinimumHealthyPercent: 100

Outputs:
  ServiceArn:
    Description: ARN of the ECS service
    Value: !Ref ECSService

Deploy or update the stack:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name my-ecs-service \
  --parameter-overrides \
    ClusterName=<your-cluster> \
    ServiceName=<your-service> \
    TaskDefinitionArn=<your-task-definition-arn> \
    SubnetIds=<subnet-1>,<subnet-2> \
    SecurityGroupIds=<sg-id> \
  --region us-east-1

Terraform (optional)

Set platform_version = "LATEST" in your aws_ecs_service resource:

variable "cluster_id" {
  description = "ID of the ECS cluster"
  type        = string
}

variable "service_name" {
  description = "Name of the ECS service"
  type        = string
}

variable "task_definition_arn" {
  description = "ARN of the task definition"
  type        = string
}

variable "subnet_ids" {
  description = "Subnet IDs for the service"
  type        = list(string)
}

variable "security_group_ids" {
  description = "Security group IDs for the service"
  type        = list(string)
}

resource "aws_ecs_service" "this" {
  name            = var.service_name
  cluster         = var.cluster_id
  task_definition = var.task_definition_arn
  desired_count   = 2
  launch_type     = "FARGATE"

  # Use LATEST to always run on the most recent platform version
  platform_version = "LATEST"

  network_configuration {
    subnets          = var.subnet_ids
    security_groups  = var.security_group_ids
    assign_public_ip = false
  }

  deployment_maximum_percent         = 200
  deployment_minimum_healthy_percent = 100
}

Apply the configuration:

terraform apply

Verification

After updating your service, verify the platform version in the AWS Console:

1. Go to ECS > Clusters > select your cluster
2. Click the Services tab and select your service
3. Under Deployments, check that the Platform version shows LATEST (or the current version number like 1.4.0 for Linux)

CLI verification

aws ecs describe-services \
  --cluster <your-cluster-name> \
  --services <your-service-name> \
  --region us-east-1 \
  --query 'services[0].{ServiceName:serviceName, PlatformVersion:platformVersion, PlatformFamily:platformFamily}'

Expected output shows LATEST or the current version number:

{
    "ServiceName": "my-service",
    "PlatformVersion": "LATEST",
    "PlatformFamily": "Linux"
}

Additional Resources

• AWS Fargate Platform Versions
• AWS Fargate Linux Platform Version History
• AWS Fargate Windows Platform Version History
• Updating an ECS Service

Notes

• LATEST vs. pinned versions: Using LATEST means your service automatically receives security patches when AWS releases new platform versions. If you need to pin to a specific version for compatibility testing, actively monitor AWS release announcements.

• Blue/green deployments: If your service uses the CODE_DEPLOY deployment controller, you must create a new CodeDeploy deployment to change the platform version. The update-service API does not support platform version changes for blue/green services.

• Rolling updates: When you update the platform version, ECS performs a rolling deployment. Tasks are replaced gradually based on your minimumHealthyPercent and maximumPercent settings.

• Windows vs. Linux: Platform versions differ between Windows and Linux Fargate. Ensure you select the appropriate version for your workload's operating system.