Profile Applicability:

  • Level 1

Description:
 Ensure all Amazon ECS clusters have resource tags to facilitate asset management, tracking, and compliance.

Rationale:
 Consistent tagging supports compliance and helps identify unauthorized or misconfigured resources. Proper tagging enhances resource organization, facilitates management, and helps with cost allocation and compliance.

Impact:
 There is minimal administrative overhead associated with implementing and maintaining resource tags. However, tagging improves the ability to manage and track resources, making it easier to enforce policies.

Default Value:
 By default, Amazon ECS clusters have only AWS-managed tags.

Remediation
Test Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. Click the name of a cluster.

  4. Click Tags.

  5. Ensure at least one tag is listed that does not begin with aws:. Tags prefixed with aws: are AWS-managed.

  6. Repeat steps 1–5 for each ECS cluster.

Using AWS CLI:

  1. Run the following command to list clusters:

    aws ecs list-clusters


  2. Run the following command to view the tags for a cluster:

     aws ecs list-tags-for-resource --resource-arn <cluster-arn>

  3. Ensure that tags are returned that do not begin with aws:. Tags prefixed with aws: are AWS-managed.

  4. Repeat for each cluster.

Implementation Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Clusters.

  3. Click the name of a cluster.

  4. Click Tags.

  5. Click Manage tags.

  6. Click Add tag.

  7. Provide a Key and an optional Value for the tag.

  8. Click Save.

  9. Repeat steps 1–9 for each ECS cluster requiring remediation.

Using AWS CLI:

  1. For each cluster requiring remediation, run the following command to add tags:

     aws ecs tag-resource --resource-arn <cluster-arn> --tags Key=<tag-key>,Value=<tag-value>

Backout Plan:

Using AWS Console:

  1. If any issue arises after tagging, you can remove or modify tags by following the same process but selecting the Delete option for tags.

Using AWS CLI:

  1. To remove tags, run the following command:

     aws ecs untag-resource --resource-arn <cluster-arn> --tag-keys <tag-key>

References:

  1. Amazon ECS Tagging Guide

  2. AWS CLI: List ECS Clusters

  3. AWS CLI: List ECS Services

  4. AWS CLI: List Tags for ECS Resource

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Establish and Maintain Detailed Enterprise Asset Inventory: Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets, including those in cloud environments, and ensure the inventory includes asset attributes and approval status.

v7

1.4

Maintain Detailed Asset Inventory: Maintain an accurate and up-to-date inventory of all technology assets, including those connected to the network or not, for better management and compliance.