Enable CloudWatch Container Insights

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)

Ensure that your Amazon Elastic Container Service (ECS) clusters have CloudWatch Container Insights feature enabled in order to gain a better perspective on how your cluster’s applications and microservices are performing. CloudWatch Container Insights for Amazon ECS is a monitoring and troubleshooting solution for containerized applications and microservices that collects, aggregates and summarizes resource utilization such as CPU, memory, disk, and network. The feature also collects diagnostic information such as container restart failures to help you isolate issues with your ECS clusters and resolve them as quickly as possible.

Reliability
Operational
excellence
Performance
efficiency

Monitoring is an essential part of maintaining the reliability, availability and performance of your Amazon ECS clusters as well as applications and microservices running on these clusters. By enabling CloudWatch Container Insights feature you obtain an improved overview over your ECS resources, services and tasks as well as help you to identify potential failures or issues.


Audit

To determine if your AWS ECS clusters are using the CloudWatch Container Insights feature, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS ECS dashboard at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Clusters.

04 Choose the ECS cluster that you want to examine and check the monitoring type used by the verified cluster, available in the CloudWatch monitoring column. If the CloudWatch monitoring type is set to Default, the CloudWatch Container Insights feature is not enabled for the selected Amazon Elastic Container Service (ECS) cluster.

05 Repeat step no. 4 to determine the CloudWatch monitoring type (level) for other AWS ECS clusters available in the current region.

06 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all AWS ECS clusters available in the selected region:

aws ecs list-clusters
	--region us-east-1
	--output table
	--query 'clusterArns'

02 The command output should return a table with the requested ECS cluster ARNs:

--------------------------------------------------------------------
|                           ListClusters                           |
+------------------------------------------------------------------+
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster  |
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-prod-cluster      |
+------------------------------------------------------------------+ 

03 Run describe-clusters command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the cluster that you want to examine as identifier parameter and custom query filters to get the CloudWatch Container Insights feature status for the selected Amazon ECS resource:

aws ecs describe-clusters
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster
	--query 'clusters[*].settings[?(name==`containerInsights`)].value[]'

04 The command output should return the feature status for the specified ECS cluster:

[
    "disabled"
]

If the describe-clusters command output returns "disabled", as shown in the output example above, the CloudWatch Container Insights feature is not currently enabled for the selected Amazon Elastic Container Service (ECS) cluster.

05 Repeat step no. 3 and 4 to check the feature status for other Amazon ECS clusters created in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable CloudWatch Container Insights for your existing AWS Elastic Container Service (ECS) clusters, perform the following actions:

Note 1: Enabling CloudWatch Container Insights for individual Amazon ECS clusters using AWS Management Console is not currently supported, the feature can be enabled and configured only through AWS Command Line Interface (CLI).
Note 2: CloudWatch Container Insights monitoring metrics are provided at an additional cost.

Using AWS CLI

01 Run update-cluster-settings command (OSX/Linux/UNIX) to enable AWS CloudWatch Container Insights feature for the selected Amazon ECS cluster (see Audit section part II to identify the right ECS resource). The following command example enables CloudWatch Container Insights feature for an ECS cluster identified by the ARN "arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster":

aws ecs update-cluster-settings
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster
	--settings name=containerInsights,value=enabled

02 The command output should return the configuration metadata for the modified AWS ECS cluster:

{
    "cluster": {
        "status": "ACTIVE",
        "statistics": [],
        "tags": [],
        "clusterName": "cc-project5-cluster",
        "settings": [
            {
                "name": "containerInsights",
                "value": "enabled"
            }
        ],
        "registeredContainerInstancesCount": 2,
        "pendingTasksCount": 3,
        "runningTasksCount": 2,
        "activeServicesCount": 1,
        "clusterArn": "arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster"
    }
}

03 Repeat step no. 1 and 2 to enable CloudWatch Container Insights for other Amazon ECS clusters provisioned within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Sep 5, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable CloudWatch Container Insights

Risk level: Low