Ensure container insights are enabled for Amazon Elastic Container Service (ECS) clusters

MEDIUM

Description

CloudWatch Container Insights can be used to collect logs from containerized workloads for analysis. This can help with auditing, performance tuning, and error checking in an Amazon Elastic Container Service (ECS) cluster. For more information on Container Insights, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html

Remediation

In AWS Console -

Sign in to AWS Console and go to the Amazon ECS console.
In the navigation pane, select Account Settings.
Select the check box at the bottom of the page to enable the Container Insights default.

In Terraform -

In the aws_ecs_cluster resource, create a settings block.
Add a field named name with a value of containerInsights.
Add a field named value with a value of enabled.

References:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-container-insights.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-cluster-settings.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster

Policy Details

Rule Reference ID: AC_AWS_0086

CSP: AWS

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: aws_ecs_cluster

Resource Category: Compute

Resource Type: Elastic Container Service (ECS)

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA