Control: 9 ECS task definitions should have a logging configuration
Description
This control checks if the latest active Amazon ECS task definition has a logging configuration specified. The control fails if the task definition doesn't have the logConfiguration property defined or if the value for logDriver is null in at least one container definition.
Logging helps you maintain the reliability, availability, and performance of Amazon ECS. Collecting data from task definitions provides visibility, which can help you debug processes and find the root cause of errors. If you are using a logging solution that does not have to be defined in the ECS task definition (such as a third party logging solution), you can disable this control after ensuring that your logs are properly captured and delivered.
Remediation
To define a log configuration for your Amazon ECS task definitions, see Specifying a log configuration in your task definition in the Amazon Elastic Container Service Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ecs_9Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ecs_9 --shareSQL
This control uses a named query:
with task_definitions_logging_enabled as ( select distinct task_definition_arn as arn from aws_ecs_task_definition, jsonb_array_elements(container_definitions) as c where c ->> 'LogConfiguration' is not null)select a.task_definition_arn as resource, case when b.arn is not null then 'ok' else 'alarm' end as status, case when b.arn is not null then a.title || ' logging enabled.' else a.title || ' logging disabled.' end as reason , region, account_idfrom aws_ecs_task_definition as a left join task_definitions_logging_enabled as b on a.task_definition_arn = b.arn;