Skip to content
Ask AI about this
Help improve this page

ECS fargate services should run on the latest fargate platform version

Each Fargate platform version bundles a specific kernel, container runtime, and Fargate agent. Newer versions carry security patches, bug fixes, and performance improvements. Running an outdated platform version means your containers execute on infrastructure with known vulnerabilities that AWS has already addressed in later releases.

Platform version 1.4.0 (Linux) switched from Docker to the containerd runtime, updated the Fargate agent, and added EFS volume support and ephemeral storage encryption. Staying on 1.3.0 or earlier forfeits those capabilities and leaves workloads exposed to CVEs that AWS has since patched.

Retrofit consideration

The 1.3.0-to-1.4.0 jump switched the container runtime from Docker to containerd and changed how networking and ephemeral storage work. Test on staging before pushing to production, especially if your tasks rely on Docker-specific socket behavior or EFS mounts.

Implementation

Choose the approach that matches how you manage Terraform.

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

module "ecs" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/ecs/aws//modules/service"
  version = ">=6.0.0"

  cluster_arn = "arn:aws:ecs:us-east-1:123456789012:cluster/example-cluster"
  container_definitions = {
    main = {
      essential = true
      image     = "public.ecr.aws/docker/library/httpd:latest"
      portMappings = [
        {
          containerPort = 80
          protocol      = "tcp"
        }
      ]
    }
  }
  cpu        = 256
  memory     = 512
  name       = "abc123"
  subnet_ids = ["subnet-12345678"]
}


module "ecs" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/ecs/aws//modules/service"
  version = ">=6.0.0"

  cluster_arn = "arn:aws:ecs:us-east-1:123456789012:cluster/example-cluster"
  container_definitions = {
    main = {
      essential = true
      image     = "public.ecr.aws/docker/library/httpd:latest"
      portMappings = [
        {
          containerPort = 80
          protocol      = "tcp"
        }
      ]
    }
  }
  cpu        = 256
  memory     = 512
  name       = "abc123"
  subnet_ids = ["subnet-12345678"]
}


module "ecs" {
  source  = "nistcsfv11.compliance.tf/terraform-aws-modules/ecs/aws//modules/service"
  version = ">=6.0.0"

  cluster_arn = "arn:aws:ecs:us-east-1:123456789012:cluster/example-cluster"
  container_definitions = {
    main = {
      essential = true
      image     = "public.ecr.aws/docker/library/httpd:latest"
      portMappings = [
        {
          containerPort = 80
          protocol      = "tcp"
        }
      ]
    }
  }
  cpu        = 256
  memory     = 512
  name       = "abc123"
  subnet_ids = ["subnet-12345678"]
}

If you use terraform-aws-modules/ecs/aws//modules/service, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "ecs" {
  source  = "terraform-aws-modules/ecs/aws//modules/service"
  version = ">=6.0.0"

  cluster_arn = "arn:aws:ecs:us-east-1:123456789012:cluster/example-cluster"
  container_definitions = {
    main = {
      essential = true
      image     = "public.ecr.aws/docker/library/httpd:latest"
      portMappings = [
        {
          containerPort = 80
          protocol      = "tcp"
        }
      ]
    }
  }
  cpu        = 256
  memory     = 512
  name       = "abc123"
  subnet_ids = ["subnet-12345678"]

  platform_version = "LATEST"
}

Use AWS provider resources directly. See docs for the resources involved: aws_ecs_service.

resource "aws_ecs_service" "this" {
  cluster     = "arn:aws:ecs:us-east-1:123456789012:cluster/example-cluster"
  launch_type = "FARGATE"
  name        = "pofix-abc123"

  network_configuration {
    subnets = ["subnet-abc123", "subnet-def456"]
  }

  task_definition = "arn:aws:ecs:us-east-1:123456789012:task-definition/example-task:1"

  platform_version = "LATEST"
}

What this control checks

The platform_version argument in aws_ecs_service controls which Fargate platform version the service uses. Set it to "LATEST" or the explicit current version string for the target OS to pass. Omitting platform_version causes AWS to default to "LATEST", which also passes. The control only applies when launch_type is "FARGATE" or the capacity provider strategy references Fargate. Services with an explicit older version like "1.3.0" or "1.2.0" fail. Note that "LATEST" is a symbolic reference AWS resolves at deployment time, making the explicit numeric version more deterministic for Terraform drift detection.

Common pitfalls

  • LATEST does not always mean newest immediately

    AWS updates the "LATEST" pointer on its own schedule, and there have been brief windows where it still pointed to the previous version after a new one released. Pinning to the explicit version string like "1.4.0" removes that ambiguity, but you'll need to update it manually when AWS cuts a new version.

  • Capacity provider strategy vs launch_type

    When using capacity_provider_strategy with "FARGATE" rather than launch_type = "FARGATE", platform_version still applies but is easy to skip. Set it explicitly either way.

  • Force new deployment needed for running tasks

    Updating platform_version in Terraform only changes the service definition. Running tasks stay on the old version until replaced. Add force_new_deployment = true to ensure all tasks pick up the new platform version on the next terraform apply.

  • Windows vs Linux platform versions differ

    Windows and Linux Fargate platform version tracks are independent, so a single hardcoded numeric value won't work if you manage both. Key off the operating_system_family in the runtime_platform block with a conditional or variable.

Audit evidence

AWS Config evaluations showing all ECS Fargate services as compliant are the primary evidence artifact. Per-service, aws ecs describe-services output should show platformVersion set to "LATEST" or the current numeric version. CloudTrail CreateService and UpdateService events confirm the platform version at time of creation or last update. For environments with many clusters, a Config aggregator report or CSPM export showing historical compliance state across all ECS clusters is more practical than per-service screenshots.

Framework-specific interpretation

PCI DSS v4.0: Requirement 6.3 expects known vulnerabilities to be addressed by applying security patches promptly. For Fargate workloads, the platform version is the patch vector for the container runtime and kernel. Running LATEST satisfies that expectation for the AWS-managed layer of any service processing cardholder data.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: ecs_service_fargate_using_latest_platform_version

  • AWS Config Managed Rule: ECS_FARGATE_LATEST_PLATFORM_VERSION

  • Checkov Check: CKV_AWS_332

  • Powerpipe Control: aws_compliance.control.ecs_service_fargate_using_latest_platform_version

  • Prowler Check: ecs_service_fargate_latest_platform_version

  • AWS Security Hub Control: ECS.10

Last reviewed: 2026-03-09