Links

AWS ECS

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Asset Inventory

Design Guidance:

AWS::ECS::Cluster

Tags
Terraform
Cluster Name
Terraform

AWS::ECS::PrimaryTaskSet

Cluster
Task Set Id
Service

AWS::ECS::Service

Cluster
Terraform
Load Balancers-Container Name
Terraform
Load Balancers-Load Balancer Name
Terraform
Load Balancers-Target Group Arn
Terraform
Service Name
Terraform
Service Registries
Terraform
Service Registries-Container Name
Terraform
Service Registries-Registry Arn
Terraform
Tags
Terraform

AWS::ECS::TaskDefinition

Depends On-Container Name
Terraform
Container Definitions-Hostname
Terraform
Volumes-Efsvolume Configuration
Terraform
Efsvolume Configuration-Filesystem Id
Terraform
Tags
Terraform

AWS::ECS::TaskSet

Cluster
Terraform
Load Balancers-Container Name
Terraform
Load Balancers-Load Balancer Name
Terraform
Service
Terraform
Service Registries-Container Name
Terraform
Service Registries-Registry Arn
Terraform

AWS::ECS::CapacityProvider

Name
Terraform
Tags
Terraform

Logging

Design Guidance:

AWS::ECS::Cluster

Cluster Settings
Terraform
Cluster Settings-Name
Terraform
Cluster Settings-Value
Terraform

AWS::ECS::TaskDefinition

Firelens Configuration-Type
Terraform
Firelens Configuration-Options
Terraform
Log Configuration-Log Driver
Terraform

Hardening

Design Guidance:

AWS::ECS::Service

Launch Type
Terraform

AWS::ECS::TaskDefinition

Container Definitions-Docker Security Options
Terraform

AWS::ECS::TaskSet

Launch Type
Terraform
Platform Version
Terraform
Task Definition
Terraform

Load Balancing

AWS::ECS::Service

Load Balancers
Terraform

AWS::ECS::TaskSet

Load Balancers
Terraform

Deny-all Communications and Only Allow-by-Exception

Design Guidance:

AWS::ECS::Service

Load Balancers-Container Port
Terraform
Service Registries-Container Port
Terraform
Service Registries-Port
Terraform

AWS::ECS::TaskDefinition

Port Mappings-Container Port
Terraform
Port Mappings-Host Port
Terraform
Efsvolume Configuration-Transit Encryption Port
Terraform

AWS::ECS::TaskSet

Load Balancers-Container Port
Terraform
Service Registries-Container Port
Terraform
Service Registries-Port
Terraform

Subnet Isolation

Design Guidance:

AWS::ECS::Service

Network Configuration-AWS VPC Configuration
Terraform
AWS VPC Configuration-Assign Public Ip
Terraform
AWS VPC Configuration-Subnets
Terraform

AWS::ECS::TaskSet

Network Configuration-AWS VPC Configuration
Terraform
AWS VPC Configuration-Assign Public Ip
Terraform
AWS VPC Configuration-Subnets
Terraform

Firewalls

Design Guidance:

AWS::ECS::Service

AWS VPC Configuration-Security Groups
Terraform

AWS::ECS::TaskSet

AWS VPC Configuration-Security Groups
Terraform

Utilize Role-based Access Control

Design Guidance:

AWS::ECS::Service

Role
Terraform

AWS::ECS::TaskDefinition

Execution Role Arn
Terraform
Task Role Arn
Terraform

Input Validation

Design Guidance:

AWS::ECS::TaskDefinition

Container Definitions
Terraform
Container Definitions-Command
Terraform
Container Definitions-Environment
Terraform
Container Definitions-Environment Files
Terraform

Network Isolation and Segregation

Design Guidance:

AWS::ECS::TaskDefinition

Container Definitions-Disable Networking
Terraform

Name/Address Resolution Integrity

Design Guidance:

AWS::ECS::TaskDefinition

Container Definitions-Dns Search Domains
Terraform
Container Definitions-Dns Servers
Terraform
Container Definitions-Extra Hosts
Terraform

Design for High Availability

Design Guidance:

AWS::ECS::TaskDefinition

Container Definitions-Health Check
Terraform
Health Check-Command
Terraform
Health Check-Interval
Terraform
Health Check-Timeout
Terraform
Health Check-Retries
Terraform
Health Check-Start Period
Terraform
Port Mappings-Protocol
Terraform

AWS::ECS::CapacityProvider

Auto Scaling Group Provider
Terraform
Managed Scaling-Status
Terraform
Auto Scaling Group Provider-Managed Termination Protection
Terraform

Password Complexity

Design Guidance:

AWS::ECS::TaskDefinition

Secret Options-Name
Terraform
Secret Options-Value From
Terraform
Repository Credentials-Credentials Parameter
Terraform
Secrets-Name
Terraform
Secrets-Value From
Terraform

Privileged Access Management

AWS::ECS::TaskDefinition

Container Definitions-Privileged
Terraform
Container Definitions-Readonly Root Filesystem
Terraform
Container Definitions-User
Terraform
Efsvolume Configuration-Root Directory
Terraform

TLS

Design Guidance:

AWS::ECS::TaskDefinition

Efsvolume Configuration-Transit Encryption
Terraform

Information Flow Routing

AWS::ECS::TaskSet

Load Balancers-Target Group Arn
Terraform