Benchmark: ECS
Description
This section contains recommendations for configuring ECS resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select ECS.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_ecs
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_ecs --share
Controls
- ECS clusters should have container insights enabled
- ECS cluster container instances should have connected agent
- ECS clusters encryption at rest should be enabled
- ECS cluster instances should be in a VPC
- ECS cluster should be configured with active services
- At least one instance should be registered with ECS cluster
- ECS fargate services should run on the latest fargate platform version
- ECS services should be attached to a load balancer
- AWS ECS services should not have public IP addresses assigned to them automatically
- ECS task definition containers should not have secrets passed as environment variables
- ECS containers should run as non-privileged
- ECS containers should be limited to read-only access to root filesystems
- ECS task definitions should have logging enabled
- ECS task definitions should not share the host's process namespace
- ECS task definitions should not use root user.
- ECS task definition container definitions should be checked for host mode