Open menu

Monitor Amazon ECS Configuration Changes

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the AWS ECS service level, within your Amazon Web Services account.

This rule resolution is part of the Cloud Conformity Tool

Amazon ECS is a highly scalable, high-performance, container management service that makes it easy to run and manage Docker containers within a cluster. You can use the Elastic Container Service (ECS) service to schedule the placement of containers across your cluster based on your resource needs, isolation policies and availability requirements. Amazon ECS eliminates the need for you to install, operate and scale your own cluster management infrastructure. With AWS ECS, you can launch and stop Docker-enabled applications, query the complete state of your application and access AWS cloud resources and features like IAM roles, EC2 security groups, EBS volumes, CloudWatch events, Amazon CloudFormation templates and CloudTrail logs.

Cloud Conformity RTMA feature monitors and detects each ECS configuration change made in your AWS account such as creating an updating attributes for an ECS resource, deregistering container instances from a cluster, removing a specified service from a cluster or deleting a cluster. Specifically, the activity detected by this Cloud Conformity RTMA rule can be any IAM or root account user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that triggers the following Amazon ECS actions:

"CreateCluster" - Creates an Amazon ECS cluster. By default, your AWS account receives a default cluster when you launch your first Docker container instance, however, you can create your own ECS cluster using a unique name with this action.

"CreateService" - Runs and maintains a desired number of tasks from a specified task definition.

"DeleteAttributes" - Deletes one or more custom attributes from an AWS ECS resource such as a container instance.

"DeleteCluster" - Deletes the specified ECS cluster. You must deregister all container instances from this cluster before you can delete it.

"DeleteService" - Deletes a specified service within an AWS ECS cluster.

"DeregisterContainerInstance" - Deregisters a container instance from the specified ECS cluster. Once deregistered, the instance is no longer available to run tasks.

"PutAttributes" - Creates or updates an attribute for an AWS ECS resource. If the attribute does not exist, it is created, but if the attribute exists, its value is replaced with the value specified when the request is made.

"RegisterContainerInstance" - Registers an EC2 instance to a specified ECS cluster. The instance becomes available for new Docker containers.

"RegisterTaskDefinition" - Registers a new task definition from the supplied family and container definitions. Container definitions are used to describe the different containers that are launched as part of a task.

"SubmitContainerStateChange" - Sends to acknowledge that a Docker container changed states.

"SubmitTaskStateChange" - Sends to acknowledge that a task changed states.

"UpdateContainerAgent" - Updates the Amazon ECS container agent for a specified container instance.

"UpdateContainerInstancesState" - Modifies the status of an AWS ECS container instance.

"UpdateService" - Modifies the parameters of the Amazon ECS service.

In order to follow AWS cloud security best practices and implement the principle of least privilege (i.e. the practice of providing every user, process and system the minimal amount of access required to perform successfully their desired task), Cloud Conformity strongly recommends that you avoid allowing your non-privileged IAM users the permission to change Amazon ECS service configuration within your Amazon Web Services account.

The communication channels required for sending RTMA notifications when configuration changes are performed, can be configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon ECS service are SMS, Email, Slack, PagerDuty, Zendesk and ServiceNow.

Remediation / Resolution

The main purpose of Amazon ECS is to help you deploy, manage and scale Docker containers within your own cloud environment. When you use Amazon ECS service to run containerized applications in production, monitoring ECS configuration changes in real-time is extremely important for keeping your production environment stable and secure. As best practice, you have to be aware of any configuration change made at the ECS service level at any point in time. Using Cloud Conformity RTMA feature to detect ECS configuration changes can help you prevent any accidental or intentional modifications that may lead to severe security breaches or data loss.

References

Publication date Dec 18, 2018