Control: ECS task definitions should have logging enabled
Description
Ensure logging is enabled for task definitions so that you can access your containerized application logs for debugging and auditing purposes. On top of centralized logging, these log drivers often include additional capabilities that are useful for operation.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ecs_task_definition_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ecs_task_definition_logging_enabled --shareSQL
This control uses a named query:
with task_definitions_logging_enabled as ( select distinct task_definition_arn as arn from aws_ecs_task_definition, jsonb_array_elements(container_definitions) as c where c ->> 'LogConfiguration' is not null)select a.task_definition_arn as resource, case when b.arn is not null then 'ok' else 'alarm' end as status, case when b.arn is not null then a.title || ' logging enabled.' else a.title || ' logging disabled.' end as reason , region, account_idfrom aws_ecs_task_definition as a left join task_definitions_logging_enabled as b on a.task_definition_arn = b.arn;