Profile Applicability:

  • Level 1

Description:
 Ensure all Amazon ECS task definitions have resource tags to facilitate asset management, tracking, and compliance.

Rationale:
 Consistent tagging supports compliance and helps identify unauthorized or misconfigured resources. It provides better management and makes it easier to enforce policies across your resources.

Impact:
 There is minimal administrative overhead associated with implementing and maintaining resource tags. However, tags improve resource organization, facilitate compliance, and enhance tracking.

Default Value:
 By default, Amazon ECS task definitions are not tagged.

Remediation

Test Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Task definitions.

  3. Click the name of a task definition.

  4. Click on the latest active revision of the task definition.

  5. Click Tags.

  6. Ensure at least one tag is listed that does not begin with aws:. Tags prefixed with aws: are AWS-managed.

  7. Repeat steps 1–6 for each ECS task definition.

Using AWS CLI:

  1. Run the following command to list task definitions:

     aws ecs list-task-definitions

  2. Run the following command to view the tags for a task definition:

     aws ecs list-tags-for-resource --resource-arn <task-definition-arn>

  3. Ensure that tags are returned that do not begin with aws:. Tags prefixed with aws: are AWS-managed.

  4. Repeat for each task definition.

Implementation Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Task definitions.

  3. Click the name of a task definition.

  4. Click on the latest active revision of the task definition.

  5. Click Create new revision.

  6. Click Create new revision again.

  7. Expand the Tags section.

  8. Click Add tag.

  9. Provide a Key and an optional Value for the tag.

  10. Click Create.

  11. Repeat steps 1–10 for each task definition requiring remediation.

Using AWS CLI:

  1. For each task definition requiring remediation, run the following command to add tags:

     aws ecs tag-resource --resource-arn <task-definition-arn> --tags Key=<tag-key>,Value=<tag-value>

Backout Plan:

Using AWS Console:

  1. If there are any issues after tagging, you can remove or modify tags by following the same process but selecting the Delete option for tags.

Using AWS CLI:

  1. To remove tags, run the following command:

     aws ecs untag-resource --resource-arn <task-definition-arn> --tag-keys <tag-key>

References:

  1. Amazon ECS Tagging Guide

  2. AWS CLI: List ECS Task Definitions

  3. AWS CLI: List Tags for ECS Resource

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Establish and Maintain Detailed Enterprise Asset Inventory: Maintain an accurate and up-to-date inventory of all enterprise assets, including those in cloud environments, to ensure proper management and security.

v7

1.4

Maintain Detailed Asset Inventory: Ensure the inventory includes all hardware and software assets with the potential to store or process information, whether connected to the organization's network or not.