Monitor Amazon ECS Configuration Changes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the AWS ECS service level, within your Amazon Web Services account.

Security

Amazon ECS is a highly scalable, high-performance, container management service that makes it easy to run and manage Docker containers within a cluster. You can use the Elastic Container Service (ECS) service to schedule the placement of containers across your cluster based on your resource needs, isolation policies and availability requirements. Amazon ECS eliminates the need for you to install, operate and scale your own cluster management infrastructure. With AWS ECS, you can launch and stop Docker-enabled applications, query the complete state of your application and access AWS cloud resources and features like IAM roles, EC2 security groups, EBS volumes, CloudWatch events, Amazon CloudFormation templates and CloudTrail logs.


Cloud Conformity RTMA feature monitors and detects each ECS configuration change made in your AWS account such as creating an updating attributes for an ECS resource, deregistering container instances from a cluster, removing a specified service from a cluster or deleting a cluster. Specifically, the activity detected by this Cloud Conformity RTMA rule can be any IAM or root account user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that triggers the following Amazon ECS actions:

"CreateCapacityProvider" - Creates a new capacity provider. Capacity providers are associated with an Amazon ECS cluster and are used in capacity provider strategies to facilitate cluster auto scaling.

"CreateCluster" - Creates an Amazon ECS cluster. By default, your AWS account receives a default cluster when you launch your first Docker container instance, however, you can create your own ECS cluster using a unique name with this action.

"CreateService" - Runs and maintains a desired number of tasks from a specified task definition.

"CreateTaskSet" - Create a task set in the specified cluster and service. This is used when a service uses the EXTERNAL deployment controller type.

"DeleteAccountSetting" - Disables an account setting for a specified IAM user, IAM role, or the root user for an account.

"DeleteAttributes" - Deletes one or more custom attributes from an AWS ECS resource such as a container instance.

"DeleteCapacityProvider" - Deletes the specified capacity provider.

"DeleteCluster" - Deletes the specified ECS cluster. You must deregister all container instances from this cluster before you can delete it.

"DeleteService" - Deletes a specified service within an AWS ECS cluster.

"DeleteTaskSet" - Deletes a specified task set within a service. This is used when a service uses the EXTERNAL deployment controller type.

"DeregisterContainerInstance" - Deregisters a container instance from the specified ECS cluster. Once deregistered, the instance is no longer available to run tasks.

"DeregisterTaskDefinition" - Deregisters the specified task definition by family and revision.

"PutAccountSetting" - Modifies an account setting. Account settings are set on a per-Region basis.

"PutAttributes" - Creates or updates an attribute for an AWS ECS resource. If the attribute does not exist, it is created, but if the attribute exists, its value is replaced with the value specified when the request is made.

"PutClusterCapacityProviders" - Modifies the available capacity providers and the default capacity provider strategy for a cluster.

"RegisterContainerInstance" - Registers an EC2 instance to a specified ECS cluster. The instance becomes available for new Docker containers.

"RegisterTaskDefinition" - Registers a new task definition from the supplied family and container definitions. Container definitions are used to describe the different containers that are launched as part of a task.

"UpdateClusterSettings" - Modifies the settings to use for a cluster.

"UpdateContainerAgent" - Updates the Amazon ECS container agent for a specified container instance.

"UpdateContainerInstancesState" - Modifies the status of an AWS ECS container instance.

"UpdateService" - Modifies the parameters of the Amazon ECS service.

"UpdateServicePrimaryTaskSet" - Modifies which task set in a service is the primary task set.

"UpdateTaskSet" - Modifies a task set.

In order to follow AWS cloud security best practices and implement the principle of least privilege (i.e. the practice of providing every user, process and system the minimal amount of access required to perform successfully their desired task), Cloud Conformity strongly recommends that you avoid allowing your non-privileged IAM users the permission to change Amazon ECS service configuration within your Amazon Web Services account.

The communication channels required for sending RTMA notifications when configuration changes are performed, can be configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon ECS service are SMS, Email, Slack, PagerDuty, Zendesk and ServiceNow.

Remediation / Resolution

The main purpose of Amazon ECS is to help you deploy, manage and scale Docker containers within your own cloud environment. When you use Amazon ECS service to run containerized applications in production, monitoring ECS configuration changes in real-time is extremely important for keeping your production environment stable and secure. As best practice, you have to be aware of any configuration change made at the ECS service level at any point in time. Using Cloud Conformity RTMA feature to detect ECS configuration changes can help you prevent any accidental or intentional modifications that may lead to severe security breaches or data loss.

References

Publication date Dec 18, 2018

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Monitor Amazon ECS Configuration Changes

Risk level: High