Monitor Amazon ECS Configuration Changes

"CreateCapacityProvider" - Creates a new capacity provider. Capacity providers are associated with an Amazon ECS cluster and are used in capacity provider strategies to facilitate cluster auto scaling.

"CreateCluster" - Creates an Amazon ECS cluster. By default, your AWS account receives a default cluster when you launch your first Docker container instance, however, you can create your own ECS cluster using a unique name with this action.

"CreateService" - Runs and maintains a desired number of tasks from a specified task definition.

"CreateTaskSet" - Create a task set in the specified cluster and service. This is used when a service uses the EXTERNAL deployment controller type.

"DeleteAccountSetting" - Disables an account setting for a specified IAM user, IAM role, or the root user for an account.

"DeleteAttributes" - Deletes one or more custom attributes from an AWS ECS resource such as a container instance.

"DeleteCapacityProvider" - Deletes the specified capacity provider.

"DeleteCluster" - Deletes the specified ECS cluster. You must deregister all container instances from this cluster before you can delete it.

"DeleteService" - Deletes a specified service within an AWS ECS cluster.

"DeleteTaskSet" - Deletes a specified task set within a service. This is used when a service uses the EXTERNAL deployment controller type.

"DeregisterContainerInstance" - Deregisters a container instance from the specified ECS cluster. Once deregistered, the instance is no longer available to run tasks.

"DeregisterTaskDefinition" - Deregisters the specified task definition by family and revision.

"PutAccountSetting" - Modifies an account setting. Account settings are set on a per-Region basis.

"PutAttributes" - Creates or updates an attribute for an AWS ECS resource. If the attribute does not exist, it is created, but if the attribute exists, its value is replaced with the value specified when the request is made.

"PutClusterCapacityProviders" - Modifies the available capacity providers and the default capacity provider strategy for a cluster.

"RegisterContainerInstance" - Registers an EC2 instance to a specified ECS cluster. The instance becomes available for new Docker containers.

"RegisterTaskDefinition" - Registers a new task definition from the supplied family and container definitions. Container definitions are used to describe the different containers that are launched as part of a task.

"UpdateClusterSettings" - Modifies the settings to use for a cluster.

"UpdateContainerAgent" - Updates the Amazon ECS container agent for a specified container instance.

"UpdateContainerInstancesState" - Modifies the status of an AWS ECS container instance.

"UpdateService" - Modifies the parameters of the Amazon ECS service.

"UpdateServicePrimaryTaskSet" - Modifies which task set in a service is the primary task set.

"UpdateTaskSet" - Modifies a task set.

In order to follow AWS cloud security best practices and implement the principle of least privilege (i.e. the practice of providing every user, process and system the minimal amount of access required to perform successfully their desired task), Cloud Conformity strongly recommends that you avoid allowing your non-privileged IAM users the permission to change Amazon ECS service configuration within your Amazon Web Services account.

The communication channels required for sending RTMA notifications when configuration changes are performed, can be configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon ECS service are SMS, Email, Slack, PagerDuty, Zendesk and ServiceNow.