🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 12 ECS clusters should have Container Insights enabled

Description

This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster.

Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon ECS clusters. Use CloudWatch Container Insights to collect, aggregate, and summarize metrics and logs from your containerized applications and microservices. CloudWatch automatically collects metrics for many resources, such as CPU, memory, disk, and network. Container Insights also provides diagnostic information, such as container restart failures, to help you isolate issues and resolve them quickly. You can also set CloudWatch alarms on metrics that Container Insights collects.

Remediation

To use Container Insights, see Updating a service in the Amazon CloudWatch User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ecs_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ecs_12 --share

SQL

This control uses a named query:

select
  cluster_arn as resource,
  case
    when s ->> 'Name' = 'containerInsights' and s ->> 'Value' = 'enabled' then 'ok'
    else 'alarm'
  end as status,
  case
    when s ->> 'Name' = 'containerInsights' and s ->> 'Value' = 'enabled' then title || ' Container Insights enabled.'
    else title || ' Container Insights disabled.'
  end as reason
  
  , region, account_id
from
  aws_ecs_cluster as c,
  jsonb_array_elements(settings) as s;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = ecs_12
plugin = aws
service = AWS/ECS