Profile Applicability:

  • Level 2

Description:
Enable AWS CloudWatch Container Insights for Amazon ECS clusters to monitor resource usage, performance, and application health through metrics and logs.

Rationale:
 Monitoring ECS clusters with Container Insights improves visibility into the health and performance of ECS applications, supports faster issue detection, and enhances security by identifying anomalies, errors, and resource bottlenecks.

Impact:
 Enabling AWS CloudWatch Container Insights for ECS clusters incurs costs for metrics, log ingestion, storage, and alarms. However, the benefits of proactive monitoring and faster issue resolution justify the costs.

Default Value:
 Monitoring is disabled by default for Amazon ECS clusters.

Pre-requisites:

  • AWS IAM permissions to modify ECS cluster settings: ecs:UpdateClusterSettings, ecs:DescribeClusters

  • CloudWatch permissions to view and update CloudWatch Container Insights settings: cloudwatch:PutMetricData, cloudwatch:DescribeAlarms

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. For each cluster listed, check the CloudWatch monitoring column and ensure that Container Insights is displayed.

Using AWS CLI:

  1. Run the following command to list clusters:

    aws ecs list-clusters

  2. Run the following command to view the settings for a cluster:

    aws ecs describe-clusters --clusters <cluster-arn> --include SETTINGS --query 'clusters[*].settings'

  3. Ensure that containerInsights is set to enabled or enhanced.

Implementation Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. Click the name of a cluster.

  4. Click Update cluster.

  5. Under Monitoring, select the radio button next to Container Insights or Container Insights with enhanced observability.

  6. Click Update.

  7. Repeat steps 1-6 for each ECS cluster requiring remediation.

Using AWS CLI:

  1. For each cluster requiring remediation, run the following command to enable containerInsights

aws ecs update-cluster-settings --cluster <cluster-arn> --settings name=containerInsights,value=enabled

Backout Plan:

Using AWS Console:

  1. If issues arise after enabling monitoring, revert the settings by following the same steps and deselecting Container Insights.

Using AWS CLI:

  1. If issues arise, disable containerInsights by running the following command:

aws ecs update-cluster-settings --cluster <cluster-arn> --settings name=containerInsights,value=disabled

References:

  1. AWS CloudWatch Container Insights Documentation

  2. CloudWatch Detailed ECS Metrics

  3. AWS CLI: Update Cluster Settings

  4. AWS CLI: Describe Clusters

CIS Controls:

Version

Control ID

Control Description

v8

8.5

Collect Detailed Audit Logs: Configure detailed audit logging for enterprise assets containing sensitive data, including key event attributes such as user, timestamp, source addresses, and other useful forensic elements.

v7

6.3

Enable Detailed Logging: Ensure that detailed system logging is enabled, including useful information such as event source, user, timestamp, and relevant addresses for effective monitoring and investigation.