Profile Applicability:

  • Level 1

Description:
 Ensure all Amazon ECS services have resource tags to facilitate asset management, tracking, and compliance.

Rationale:
 Consistent tagging supports compliance and helps identify unauthorized or misconfigured resources. Tags provide visibility into resources and their purposes, making it easier to manage, track, and enforce policies.

Impact:

Pros:

  • Enhances organization, resource visibility, and management.

  • Supports compliance and security tracking.

  • Improves policy enforcement and auditing.

Cons:

  • Requires time to define a clear tagging policy.

  • Tags must be maintained across all resources and environments.

Default Value:
 By default, Amazon ECS services are not tagged.

Pre-requisites:
 1. AWS IAM permissions:

  • ecs:TagResource

  • ecs:ListTagsForResource

  • ecs:DescribeServices

2. Tagging policy and strategy defined by the organization.

Remediation

Test Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. Click the name of a cluster.

  4. Under Services, click the name of a service.

  5. Click Tags.

  6. Ensure at least one tag is listed that does not begin with aws:. Tags prefixed with aws: are AWS-managed.

  7. Repeat steps 1–6 for each ECS cluster and service.

Using AWS CLI:

  1. Run the following command to list clusters:

     aws ecs list-clusters


  2. Run the following command to list services in a cluster:

     aws ecs list-services --cluster <cluster-arn>


  3. Run the following command to view the tags for a service:

    aws ecs list-tags-for-resource --resource-arn <service-arn>


  4. Ensure that tags are returned that do not begin with aws:. Tags prefixed with aws: are AWS-managed.

  5. Repeat for each cluster and service.

Implementation Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. Click the name of a cluster.

  4. Under Services, click the name of a service.

  5. Click Tags.

  6. Click Manage tags.

  7. Click Add tag.

  8. Provide a Key and an optional Value for the tag.

  9. Click Save.

  10. Repeat steps 1–9 for each ECS cluster and service requiring remediation.

Using AWS CLI:

  1. For each service requiring remediation, run the following command to add tags:

     aws ecs tag-resource --resource-arn <service-arn> --tags Key=<tag-key>,Value=<tag-value>


Backout Plan:

Using AWS Console:

  1. If any issue arises after tagging, you can remove or modify tags by following the same process but selecting the Delete option for tags.

Using AWS CLI:

  1. To remove tags, run the following command:

     aws ecs untag-resource --resource-arn <service-arn> --tag-keys <tag-key>

References:

  1. Amazon ECS Tagging Guide

  2. AWS CLI: List ECS Clusters

  3. AWS CLI: List ECS Services

  4. AWS CLI: List Tags for ECS Resource

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Establish and Maintain Detailed Enterprise Asset Inventory: Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets, including those in cloud environments, and ensure the inventory includes asset attributes and approval status.

v7

1.4

Maintain Detailed Asset Inventory: Maintain an accurate and up-to-date inventory of all technology assets, including those connected to the network or not, for better management and compliance.