Profile Applicability:
- Level 1
Description:
Configure logging for Amazon ECS task definitions to capture detailed application and container activity. This ensures that containerized applications running in ECS are logged for effective monitoring, troubleshooting, and incident response.
Rationale:
Logging is crucial for monitoring ECS tasks and containers. It enables tracking of system behavior, identifying anomalies, troubleshooting issues, and improving security. Effective logging supports rapid detection of issues and enhances the ability to respond to incidents promptly.
Impact:
Pros:
Enhanced monitoring and visibility into ECS containers.
Faster troubleshooting and issue resolution.
Better incident response and improved security posture.
Cons:
Storage and processing costs associated with logging.
Initial setup and ongoing management overhead.
Default Value:
Logging is enabled by default when a task definition is created via the console. However, explicit log configuration may be necessary to ensure logs are being captured correctly.
Pre-requisites:
AWS IAM permissions to manage ECS task definitions and logging:
ecs:DescribeTaskDefinition, ecs:UpdateTaskDefinition, logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents
Remediation:
Test Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click the name of the task definition to review.
Click on the latest active revision of the task definition.
Click JSON to view the raw configuration.
Ensure that at least one element under containerDefinitions has a logConfiguration property defined, and that the value for logDriver is not null.
If no log configuration is found or the logDriver is null, follow the remediation steps below.
Repeat steps 1–7 for all task definitions across all AWS regions.
Using AWS CLI:
Run the following command to list all task definitions:
aws ecs list-task-definitions
For the latest revision of a task definition, run the following command:
aws ecs describe-task-definition --task-definition <task-definition-arn> --query 'taskDefinition.containerDefinitions[*].logConfiguration'
Ensure that the command returns at least one logConfiguration object, and that the value for logDriver is not null.
Repeat steps 1–3 for all task definitions and AWS regions.
Implementation Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click the name of the task definition to modify.
Click on the latest active revision of the task definition.
Click Create new revision.
Click Create new revision with JSON.
For at least one container, under Logging > Log collection, check the box next to Use log collection and configure the log collection options as needed (e.g., setting the logDriver to awslogs and specifying the log group name).
Click Create to save the new revision.
Repeat steps 1–8 for each task definition requiring remediation.
Using AWS CLI:
For each task definition that needs to be updated, run the following command to register a new task definition with logging enabled:
aws ecs register-task-definition \ --family <task-family-name> \ --container-definitions '[{"name": "container-name", "image": "image-name", "logConfiguration": {"logDriver": "awslogs", "options": {"awslogs-group": "log-group-name", "awslogs-stream-prefix": "prefix"}}}]'
After updating the task definitions, redeploy the ECS tasks using the new task definition.
Backout Plan:
Using AWS Console:
If issues arise after updating the task definitions, revert to the previous revision of the task definition that did not include the logging configuration.
Redeploy ECS tasks using the previous task definition.
Using AWS CLI:
To restore the original configuration, run the following command to register a new task definition and remove the log configuration:
aws ecs register-task-definition \ --family <task-family-name> \ --container-definitions '[{"name": "container-name", "image": "image-name", "logConfiguration": {}}]'
Redeploy ECS tasks using the older task definition if necessary.
References:
CIS Controls:
