Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Amazon ECS Task Log Driver in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ECS-002

Ensure there is a log driver configured for the containers within your active Amazon ECS task definitions. The type of information that is logged by the containers within your tasks depends mostly on their ENTRYPOINT command. By default, the captured logs show the command output that you would normally see in an interactive terminal if you ran the container locally, which are the STDOUT and STDERR I/O streams.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Operational
excellence

Containers make it easy to package and share your applications, however they often run on a shared cluster. To access your containerized application logs for debugging and auditing purposes, Amazon ECS provides multiple log driver options that lets you send container logs to a central log service, such as Splunk or Amazon CloudWatch Logs. On top of centralized logging, these log drivers often include additional capabilities that are useful for operations. To implement an optimal logging driver for your containers, the log system must be properly configured in your Amazon ECS task definitions. You can then send the log information to Amazon CloudWatch Logs. For example, you can use the "awslogs" log driver to simply pass your logs from Docker to CloudWatch Logs. If you are using the AWS Fargate launch type for your Amazon ECS tasks, this allows you to view the logs from your containers. If you are using the EC2 launch type, this enables you to view different logs from your containers in one convenient location, and it prevents your container logs from taking up disk space on your ECS container instances.


Audit

To determine if there is a log driver configured for the containers within your Amazon ECS task definitions, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Task Definitions.

04 Click on the name of the active task definition that you want to examine. An active task definition has the Latest revision status set to ACTIVE.

05 Click on the name of the latest active revision created for the selected task definition. Each revision is marked using a number after the task definition name.

06 On the selected task definition page, in the Container Definitions section, click to expand the container definition that you want to examine, then check the Log driver attribute value available under Log Configuration. If Log driver is set to None or the attribute does not have any value at all, there is no log driver configured for the selected Amazon ECS container definition. Repeat this step to determine the log configuration of each container definition created for the selected Amazon ECS task definition.

07 Repeat steps no. 4 – 6 to verify each task definition available within the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-task-definitions command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all active Amazon ECS task definitions available in the selected region:

aws ecs list-task-definitions
	--region us-east-1
	--status ACTIVE
	--query 'taskDefinitionArns'

02 The command output should return the requested task definition ARNs (including their revisions):

[
  "arn:aws:ecs:us-east-1:123412341234:task-definition/cc-ec2-task-definition:1",
  "arn:aws:ecs:us-east-1:123412341234:task-definition/cc-ec2-task-definition:2"
]

03 Run describe-task-definition command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the latest active revision for the task definition that you want to examine as identifier parameter, to describe the name of the log driver configured for the container(s) defined within the selected Amazon ECS task definition:

aws ecs describe-task-definition
  --region us-east-1
  --task-definition "arn:aws:ecs:us-east-1:123412341234:task-definition/cc-ec2-task-definition:2"
  --output table
  --query 'taskDefinition.containerDefinitions[*].{Container:name,LogDriver:logConfiguration.logDriver}'

04 The command output should return the requested log configuration information:

------------------------------
|   DescribeTaskDefinition   |
+--------------+-------------+
|   Container  |  LogDriver  |
+--------------+-------------+
|  container1  |  None       |
|  container2  |  None       |
|  container3  |  None       |
+--------------+-------------+

If the describe-task-definition command output returns None for LogDriver, there is no log driver configured for the container(s) defined within the selected Amazon ECS task definition.

05 Repeat step no. 3 and 4 to determine the log configuration for each Amazon ECS task definition available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To configure a log driver for the containers defined within your Amazon ECS task definitions, perform the following actions:

Note: As example, this section demonstrates how to enable and configure the "awslogs" log driver for the containers within your active task definitions. Once enabled, the containers in your tasks will send the log information to a specified Amazon CloudWatch Logs log group.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Container Service (ECS) console at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECS, select Task Definitions.

04 Click on the name of the active task definition that you want to reconfigure. An active task definition has the Latest revision status set to ACTIVE.

05 Select the latest active revision created for the selected task definition, and choose Create new revision.

06 On the Create new revision of Task Definition page, perform the following:

  • Click on the name of the container definition that you want to reconfigure, available in the Container Definitions section.
  • On the Edit container configuration panel, in the STORAGE AND LOGGING section, select Auto-configure CloudWatch Logs checkbox next to Log configuration to enable the "awslogs" log driver and configure the selected container to automatically send the log information to an Amazon CloudWatch Logs log group. If you don't want to use the "awslogs" log driver and send the log information to Amazon CloudWatch Logs, select the preferred log driver from the Log driver dropdown list and use the Log options controls to configure the log driver selected. Choose Update to save the changes.
  • Repeat step a. and b. for each container definition created for the selected task definition.
  • Click Create to register the new revision of the selected Amazon ECS task definition.

07 If the selected task definition is used in a service, you must update that service to use the new version of the task definition. In the navigation panel, under Amazon ECS, select Clusters, and click on the name of the Amazon ECS cluster that you want to access.

08 Choose the Services tab, select the cluster service associated with the task definition reconfigured at the previous steps, and choose Update.

09 On the Update Service page, within the Configure service section, select the latest task definition revision, created earlier in the process, from the Revision dropdown list. Click Skip to review, then choose Update Service to update the selected Amazon ECS cluster service.

10 Repeat step no. 4 – 9 to enable and configure a log driver for each Amazon ECS task definition available within the current AWS region

11 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run create-log-group command (OSX/Linux/UNIX) to create the Amazon CloudWatch Logs log group where the containers in your tasks will send the log information (the command does not produce an output):

aws logs create-log-group
	--region us-east-1
	--log-group-name /ecs/cc-ec2-task-definition

02 Run describe-task-definition command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the latest active revision for the task definition that you want to reconfigure as identifier parameter, to describe the container definition(s) created for the selected Amazon ECS task definition:

aws ecs describe-task-definition
	--region us-east-1
	--task-definition "arn:aws:ecs:us-east-1:123456789012:task-definition/cc-ec2-task-definition:2"
	--query 'taskDefinition.{"containerDefinitions":containerDefinitions}'

03 The command output should return the requested container definition(s):

{
    "containerDefinitions": [
        {
            "environment": [],
            "name": "cc-prod-container",
            "mountPoints": [],
            "image": "cc-repository/nginx",
            "cpu": 0,
            "portMappings": [
                {
                    "protocol": "tcp",
                    "containerPort": 80,
                    "hostPort": 80
                }
            ],
            "memory": 128,
            "essential": true,
            "volumesFrom": []
        }
    ]
}

04 Update the container definition(s) returned at the previous step to include the task definition family name and the "awslogs" log driver configuration (highlighted). Use the name of the Amazon CloudWatch Logs log group created earlier in the process as value for the "awslogs-group" configuration property. Save your updated container definition(s) to a JSON file named cc-log-driver-config.json:

{  
    "family": "cc-ec2-task-definition",
    "containerDefinitions": [
        {
            "environment": [],
            "name": "cc-prod-container",
            "mountPoints": [],
            "image": "cc-repository/nginx",
            "cpu": 0,
            "portMappings": [
                {
                    "protocol": "tcp",
                    "containerPort": 80,
                    "hostPort": 80
                }
            ],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-region": "us-east-1",
                    "awslogs-stream-prefix": "ecs",
                    "awslogs-group": "/ecs/cc-ec2-task-definition"
                }
            },
            "memory": 128,
            "essential": true,
            "volumesFrom": []
        }
    ]
}

05 Run register-task-definition command (OSX/Linux/UNIX) using the container definition(s) updated at the previous step (i.e. cc-log-driver-config.json) as input parameters, to register a new revision of the selected Amazon ECS task definition:

aws ecs register-task-definition
	--region us-east-1
	--cli-input-json file://cc-log-driver-config.json

06 The command output should return the metadata for the newly created task definition revision:

{
    "taskDefinition": {
        "status": "ACTIVE",
        "family": "cc-ec2-task-definition",
        "placementConstraints": [],
        "requiresAttributes": [
            {
                "name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
            },
            {
                "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
            }
        ],
        "compatibilities": [
            "EC2"
        ],
        "volumes": [],
        "taskDefinitionArn": "arn:aws:ecs:us-east-1:123456789012:task-definition/cc-ec2-task-definition:3",
        "containerDefinitions": [
            {
                "environment": [],
                "name": "cc-prod-container",
                "mountPoints": [],
                "image": "cc-repository/nginx",
                "cpu": 0,
                "portMappings": [
                    {
                        "protocol": "tcp",
                        "containerPort": 80,
                        "hostPort": 80
                    }
                ],
                "logConfiguration": {
                    "logDriver": "awslogs",
                    "options": {
                        "awslogs-region": "us-east-1",
                        "awslogs-stream-prefix": "ecs",
                        "awslogs-group": "/ecs/cc-ec2-task-definition"
                    }
                },
                "memory": 128,
                "essential": true,
                "volumesFrom": []
            }
        ],
        "revision": 3
    }
}

07 If the selected task definition is used in a service, you must update that service to use the new version of the task definition. Run update-service command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the ECS cluster service that you want to reconfigure as identifier parameter, to update the specified ECS task definition to the latest revision. Use the --task-definition command parameter to specify the latest revision of your reconfigured task definition:

aws ecs update-service
	--region us-east-1
	--cluster arn:aws:ecs:us-east-1:123456789012:cluster/cc-project5-cluster
	--service arn:aws:ecs:us-east-1:123456789012:service/cc-project5-cluster/cc-ec2-service
	--task-definition cc-ec2-task-definition:3
	--query 'service.taskDefinition'

08 The command output should return the ARN of the reconfigured Amazon ECS task definition:

"arn:aws:ecs:us-east-1:123456789012:task-definition/cc-ec2-task-definition:3"

09 Repeat steps no. 1 – 8 to enable and configure a log driver for each Amazon ECS task definition available in the selected AWS region

10 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Dec 14, 2020