Ensure Logging Configuration for ECS Task Definitions

Checks that all ECS task definitions have a defined logging configuration to enable appropriate logging and monitoring of container activities.

Rule	ECS task definitions should have a logging configuration
Framework	AWS Foundational Security Best Practices
Severity	✔ High

Rule Description:

When defining ECS task definitions on AWS, it is essential to include a logging configuration to comply with Amazon Web Services Foundational Security Best Practices. Implementing proper logging ensures that vital information and data about the tasks are captured, stored, and easily accessible for security monitoring and auditing purposes.

Troubleshooting Steps:

If logging configuration is missing in the ECS task definitions, follow these steps to remediate the issue:

1.
Review the existing task definitions to identify any missing logging configurations.

2.
Update the task definition with the necessary logging parameters.

3.
Verify that the logging configuration is correctly applied.

Necessary Codes:

To add logging configuration to an ECS task definition, you can utilize the following JSON snippet as an example:

{
  "containerDefinitions": [
    {
      "name": "your-container-name",
      "image": "your-container-image",
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/your-log-group",
          "awslogs-region": "your-aws-region",
          "awslogs-stream-prefix": "your-stream-prefix"
        }
      }
    }
  ]
}

Ensure to replace placeholders like "your-container-name," "your-container-image," "your-log-group," "your-aws-region," and "your-stream-prefix" with appropriate values specific to your setup.

Step-by-Step Guide for Remediation:

1.
Log in to the AWS Management Console.

2.
Navigate to the Amazon ECS service.

3.
Click on "Task Definitions" in the left-hand menu.

4.
Select the task definition that needs logging configuration.

5.
Click on "Create new revision" to make changes to the task definition.

6.
In the task definition editor, locate the container definition that requires logging.

7.
Add the "logConfiguration" section within the container definition with the appropriate settings as per the example code provided above.

8.
Save the changes by clicking on "Create" or "Update" the task definition.

9.
Once the task definition is updated, ensure to update your ECS service to use the latest task definition revision with logging configuration.

10.
Monitor the logs in the specified log group to verify that the logging is functioning as expected.

By following these steps and including logging configuration in ECS task definitions, you ensure compliance with AWS Foundational Security Best Practices and enhance the security posture of your ECS workloads.

Ensure Logging Configuration for ECS Task Definitions

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting Steps:

Necessary Codes:

Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now