Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Fargate Platform Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ECS-004

Ensure that your Amazon Elastic Container Service (ECS) cluster services are using the latest version of AWS Fargate platform in order to receive new features, new or improved capabilities, and security updates. An AWS Fargate platform version is used to refer to a specific runtime environment for Fargate task infrastructure.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

By updating your Amazon ECS cluster services with the new version of AWS Fargate platform, you will introduce new Kernel or Operating System (OS) updates, new software features and capabilities, bug fixes, or security updates. For example, the Fargate platform version 1.4.0 has its ephemeral storage encrypted with the AES-256 encryption algorithm using an AWS-managed encryption key, has support for using Amazon EFS file system volumes for persistent task storage, and is able to route UDP traffic using a Network Load Balancer (NLB) to Amazon ECS on Fargate tasks.


Audit

To determine if your Amazon ECS cluster services are using the latest version of AWS Fargate platform, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Clusters.

04 Click on the name of the ECS cluster that you want to examine to access the resources available on the selected cluster.

05 Select the Services tab and choose FARGATE from the Launch type dropdown menu to list only the ECS cluster services configured with Amazon Fargate. Fargate is a serverless compute engine for containers that works with both Amazon ECS and Amazon EKS.

06 Choose the ECS cluster service that you want to examine, and check the Fargate platform version installed, listed in the Platform version column. Compare the installed version with the latest version of the Fargate platform supported by Amazon ECS service. If the version installed is lower than the latest version supported by Amazon ECS, the selected ECS cluster service is not using the newest version of the Amazon Fargate platform.

07 Repeat step no. 6 to determine the Fargate platform version for each service running in the selected Amazon ECS cluster.

08 Repeat steps no. 4 – 7 for each Amazon ECS cluster provisioned within the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all Amazon ECS clusters available in the selected region:

aws ecs list-clusters
	--region us-east-1
	--output table
	--query 'clusterArns'

02 The command output should return a table with the requested ECS cluster ARNs:

--------------------------------------------------------------------
|                          ListClusters                            |
+------------------------------------------------------------------+
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-prod-es-cluster   |
|  arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster  |
+------------------------------------------------------------------+

03 Run list-services command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster that you want to examine as identifier parameter and custom query filters to list the services that are running within the selected cluster:

aws ecs list-services
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-prod-es-cluster
	--query 'serviceArns'

04 The command output should return an array with the requested cluster service ARNs:

[
	"arn:aws:ecs:us-east-1:123456789012:service/cc-prod-es-cluster/cc-main-task-service",
	"arn:aws:ecs:us-east-1:123456789012:service/cc-prod-es-cluster/cc-subs-task-service"
]

05 Run describe-services command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster service that you want to examine as identifier parameter and custom query filters to describe the Fargate platform version on which your tasks are running within the selected service:

aws ecs describe-services
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-prod-es-cluster
	--services arn:aws:ecs:us-east-1:123456789012:service/cc-prod-es-cluster/cc-main-task-service
	--query 'services[*].platformVersion'

06 The command output should return the Fargate platform version installed for the service:

[
    "1.3.0"
]

Compare the installed platform version returned by describe-services command output with the latest version of the Fargate platform supported by Amazon ECS service. If the version installed is lower than the latest version supported by Amazon ECS, the selected ECS cluster service is not using the newest version of the Amazon Fargate platform.

07 Repeat step no. 5 and 6 for each service running in the selected Amazon ECS cluster.

08 Repeat steps no. 3 – 7 for each Amazon ECS cluster deployed in the selected AWS region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

Remediation / Resolution

To update the AWS Fargate platform to the latest version supported by Amazon ECS for all your ECS cluster services, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Clusters.

04 Click on the name of the ECS cluster that you want to reconfigure to access the resources available on the selected cluster.

05 Select the Services tab and choose FARGATE from the Launch type dropdown menu to list only the ECS cluster services that are using Amazon Fargate.

06 Select the ECS cluster service that you want to reconfigure, then choose Update.

07 On the Configure service page, select the latest Fargate platform version supported by Amazon ECS service from the Platform version dropdown list and select Force new deployment setting checkbox. Click Skip to review, then choose Update Service to update the selected Amazon ECS cluster service. Your service tasks are now redeployed with the latest Fargate platform version available.

08 Repeat step no. 6 and 7 to update the Fargate platform version for other services running in the selected Amazon ECS cluster.

09 Repeat steps no. 4 – 8 for each Amazon ECS cluster available within the current region.

10 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-service command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster service that you want to reconfigure as identifier parameter and custom query filters to update the Fargate platform to the latest version supported by Amazon ECS service for the selected cluster service. Include --force-new-deployment command parameter to redeploy your service tasks with the latest Fargate platform version available:

aws ecs update-service
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-prod-es-cluster
	--service arn:aws:ecs:us-east-1:123456789012:service/cc-prod-es-cluster/cc-main-task-service
	--platform-version "1.4.0"
	--force-new-deployment
	--query 'service.platformVersion'

02 The command output should return the new (latest) Fargate platform version installed for the service:

"1.4.0"

03 Repeat step no. 1 and 2 to update the Fargate platform version for other services running in the selected Amazon ECS cluster.

04 Repeat steps no. 1 – 3 for each Amazon ECS cluster provisioned in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Dec 14, 2020