Ensure there is a log driver configured for the containers within your active Amazon ECS task definitions. The type of information that is logged by the containers within your tasks depends mostly on their ENTRYPOINT command. By default, the captured logs show the command output that you would normally see in an interactive terminal if you ran the container locally, which are the STDOUT and STDERR I/O streams.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
excellence
Containers make it easy to package and share your applications, however they often run on a shared cluster. To access your containerized application logs for debugging and auditing purposes, Amazon ECS provides multiple log driver options that lets you send container logs to a central log service, such as Splunk or Amazon CloudWatch Logs. On top of centralized logging, these log drivers often include additional capabilities that are useful for operations. To implement an optimal logging driver for your containers, the log system must be properly configured in your Amazon ECS task definitions. You can then send the log information to Amazon CloudWatch Logs. For example, you can use the "awslogs" log driver to simply pass your logs from Docker to CloudWatch Logs. If you are using the AWS Fargate launch type for your Amazon ECS tasks, this allows you to view the logs from your containers. If you are using the EC2 launch type, this enables you to view different logs from your containers in one convenient location, and it prevents your container logs from taking up disk space on your ECS container instances.
Audit
To determine if there is a log driver configured for the containers within your Amazon ECS task definitions, perform the following actions:
Remediation / Resolution
To configure a log driver for the containers defined within your Amazon ECS task definitions, perform the following actions:
Note: As example, this section demonstrates how to enable and configure the "awslogs" log driver for the containers within your active task definitions. Once enabled, the containers in your tasks will send the log information to a specified Amazon CloudWatch Logs log group.References
- AWS Documentation
- Amazon Elastic Container Service FAQs
- Task definition parameters
- Updating a task definition
- Using the awslogs log driver
- AWS Command Line Interface (CLI) Documentation
- ecs
- list-task-definitions
- describe-task-definition
- register-task-definition
- update-service
- logs
- create-log-group