Profile Applicability:

  • Level 1

Description:

Amazon ECS integrates with Amazon CloudWatch to provide Container Insights for monitoring and troubleshooting containerized applications. Container Insights enables you to collect, aggregate, and analyze metrics and logs from ECS clusters, helping to track container performance, resource utilization, and potential issues. This SOP ensures that ECS clusters have Container Insights enabled to gain detailed insights into ECS container performance and improve operational visibility.

Rationale:

Enabling Container Insights on ECS clusters allows you to monitor your containerized applications and gather valuable metrics and logs for performance analysis. It provides:

  • Detailed Metrics: For CPU, memory, disk usage, and network performance.

  • Log Collection: For container logs, allowing easier troubleshooting of application issues.

  • Enhanced Monitoring: For task health, service events, and the overall ECS infrastructure. By enabling Container Insights, ECS users can proactively identify performance bottlenecks, troubleshoot issues, and improve application reliability.

Impact:

Pros:

  • Improved Monitoring: Provides deeper insights into ECS cluster performance, helping to identify potential issues before they affect production workloads.

  • Simplified Troubleshooting: Access to detailed metrics and logs helps pinpoint and resolve issues faster.

  • Better Resource Management: Metrics such as CPU and memory usage help optimize container resource allocation.

  • Enhanced Visibility: Provides comprehensive visibility into ECS infrastructure, services, tasks, and containers.

Cons:

  • Cost: Enabling Container Insights will incur additional costs related to CloudWatch Logs and Metrics.

  • Data Overload: With a large number of containers, the amount of collected data can become overwhelming and require proper management to avoid unnecessary log retention.

Default Value:

By default, Container Insights is not enabled for ECS clusters. It needs to be explicitly activated in the ECS cluster configuration.

Pre-requisite:

  • AWS IAM Permissions:

    • ecs:DescribeClusters

    • ecs:UpdateClusterSettings

    • cloudwatch:PutDashboard

    • cloudwatch:PutMetricData

  • AWS CLI installed and configured.

  • Basic knowledge of ECS clusters, CloudWatch, and monitoring services.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ECS under Services.

                     

  1. In the ECS Dashboard, go to Clusters and select the ECS cluster you want to inspect.

 

  1. Under the Cluster Settings, verify if Container Insights is enabled:

    • If Container Insights is enabled, you should see a section for CloudWatch metrics and logs under Monitoring.

  2. If Container Insights is not enabled, enable it by selecting Edit Cluster Settings and enabling Container Insights.

Using AWS CLI:

To describe the ECS cluster settings and check if Container Insights is enabled, run:

aws ecs describe-clusters --clusters <cluster-name> --query 'clusters[*].settings'

Review the output for the "containerInsights" setting:

[

  {

    "name": "containerInsights",

    "value": "enabled"

  }

]

If the setting is "disabled", you need to enable it using the following command.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to ECS.

  2. In the ECS Dashboard, select Clusters.

               

                                   

  1. Select the cluster you want to configure.

  1. Click Edit Cluster Settings.

               

  1. In the Monitoring section, enable Container Insights.

                 

  1. Save the changes to apply Container Insights to the ECS cluster.

Using AWS CLI:

To enable Container Insights for an ECS cluster, run the following command:

aws ecs update-cluster-settings --cluster <cluster-name> --settings name=containerInsights,value=enabled

To verify that Container Insights has been successfully enabled, run:

aws ecs describe-clusters --clusters <cluster-name> --query 'clusters[*].settings'

Backout Plan:

If enabling Container Insights causes issues (e.g., performance degradation or excessive data logging):

  1. Identify the ECS cluster that was modified.

Revert the Container Insights setting to disabled by running the following command:

aws ecs update-cluster-settings --cluster <cluster-name> --settings name=containerInsights,value=disabled

  1. Verify that Container Insights is now disabled by describing the ECS cluster settings.

Note :

  • Cost Considerations: Enabling Container Insights will increase costs for CloudWatch Logs and Metrics. It is important to review the log retention policies and adjust them as needed to avoid unnecessary data storage costs.

  • Scaling: When enabling Container Insights for large ECS clusters, ensure the configuration scales appropriately with your application load.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.