Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for ECS Container Instance Agent Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ECS-005

Ensure that your Amazon ECS cluster instances are running the latest version of ECS container agent in order to introduce bug fixes and new software features. Updating the Amazon ECS container agent does not interrupt running tasks or services on the container instances.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Operational
excellence

Each Amazon ECS container agent version supports a different set of features and improvements, and provides bug fixes from previous versions, therefore it is strongly recommended to configure your ECS cluster instances to update the Amazon ECS container agent to the latest version.


Audit

To determine if your Amazon ECS cluster instances are using the latest ECS container agent version, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Clusters.

04 Click on the name of the ECS cluster that you want to examine, to access the compute resources available on the selected cluster.

05 Select the ECS Instances tab, and click on the ID (link) of the ECS instance that you want to examine, listed in the Container Instance column.

06 On the selected container instance page, select the Details tab, and check the Agent version attribute value to determine the ECS container agent version installed. Compare the installed version with the latest version of the container agent supported by Amazon ECS service. If the version installed is lower than the latest version supported by Amazon ECS, the container agent version installed on the selected Amazon ECS container instance is outdated.

07 Repeat step no. 5 and 6 to determine the container agent version for each instance provisioned in the selected Amazon ECS cluster.

08 Repeat steps no. 4 – 7 for each Amazon ECS cluster available within the current AWS region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all Amazon ECS clusters available in the selected region:

aws ecs list-clusters
	--region us-east-1
	--output table
	--query 'clusterArns'

02 The command output should return a table with the requested ECS cluster ARNs:

--------------------------------------------------------------------
|                          ListClusters                            |
+------------------------------------------------------------------+
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster  |
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-backend-cluster   |
+------------------------------------------------------------------+

03 Run list-container-instances command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster that you want to examine as identifier parameter and custom query filters to list the container instances that are running within the selected cluster:

aws ecs list-container-instances
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster
	--query 'containerInstanceArns'

04 The command output should return an array with the requested container instance ARNs:

[
	"arn:aws:ecs:us-east-1:123456789012:container-instance/cc-project5-cluster/abcd1234abcd1234abcd1234abcd1234",
	"arn:aws:ecs:us-east-1:123456789012:container-instance/cc-project5-cluster/1234abcd1234abcd1234abcd1234abcd"
]

05 Run describe-container-instances command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the Amazon ECS container instance that you want to examine as identifier parameter and custom query filters to describe the ECS container agent version installed on the selected instance:

aws ecs describe-container-instances
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster
	--container-instances arn:aws:ecs:us-east-1:123456789012:container-instance/cc-project5-cluster/abcd1234abcd1234abcd1234abcd1234
	--query 'containerInstances[*].versionInfo.agentVersion'

06 The command output should return the ECS container agent version installed on the instance:

[
    "1.41.0"
]

Compare the installed version returned by describe-container-instances command output with the latest version of the container agent supported by Amazon ECS service. If the version installed is lower than the latest version supported by Amazon ECS, the selected container instance is not using the most up-to-date version of the Amazon ECS container agent.

07 Repeat step no. 5 and 6 to determine the container agent version for each instance deployed for the selected Amazon ECS cluster.

08 Repeat steps no. 3 – 7 for each Amazon ECS cluster available in the selected AWS region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To update the Amazon ECS container agent to the latest version supported by Amazon ECS for all your container instances, perform the following operations:

Note: As example, this section demonstrates how to update the Amazon ECS container agent on container instances using ECS-Optimized Amazon Linux AMIs.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Clusters.

04 Click on the name of the ECS cluster that you want to reconfigure, to access the compute resources available on the selected cluster.

05 Select the ECS Instances tab, and click on the ID (link) of the ECS instance that you want to reconfigure, listed in the Container Instance column.

06 On the selected container instance page, click on the Update agent button from the console top menu to start the update process. Once the process is successfully completed, the selected container instance will run the latest version of the Amazon ECS container agent. Updating the ECS container agent does not interrupt running tasks or services on the selected container instance.

07 Repeat step no. 5 and 6 to update the container agent version for other instances created in the selected Amazon ECS cluster.

08 Repeat steps no. 4 – 7 for each Amazon ECS cluster available within the current AWS region.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-container-agent command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS container instance that you want to reconfigure as identifier parameter, to update the Amazon ECS container agent running on the selected container instance to the latest agent version supported by Amazon ECS service. Updating the Amazon ECS container agent does not interrupt running tasks or services on the selected instance:

aws ecs update-container-agent
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster
	--container-instance arn:aws:ecs:us-east-1:123456789012:container-instance/cc-project5-cluster/abcd1234abcd1234abcd1234abcd1234

02 The command output should return the metadata for the reconfigured container instance:

{
    "containerInstance": {
        "status": "ACTIVE",
        "registeredAt": 1603453999.650,
        "ec2InstanceId": "i-0abcdabcdabcdabcd",
        "tags": [],
        "agentConnected": true,
        "version": 11,

        ...

        "versionInfo": {
            "agentVersion": "1.46.0",
            "agentHash": "12341234",
            "dockerVersion": "DockerVersion: 19.03.6-ce"
        },
        "runningTasksCount": 0,
        "attachments": []
    }
}

03 Repeat step no. 1 and 2 to update the container agent version for other instances available within the selected Amazon ECS cluster.

04 Repeat steps no. 1 – 3 for each Amazon ECS cluster deployed in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Dec 14, 2020