ECS Cluster should not have running container instances with unconnected agents
The Amazon ECS container agent associates container instances to your cluster and tells Docker when to start, stop, and query the containers you have specified to run. If the agent is unable to access the service, the container instance is not able to operate as a member of your ECS cluster.
Risk Level: High
Cloud Entity: Amazon Elastic Container Service - Cluster
CloudGuard Rule ID: D9.AWS.NET.33
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
EcsCluster should not have containerInstances contain [ agentConnected = false and status != 'DRAINING' ]
REMEDIATION
From Portal
- Login to the AWS Management Console and navigate to ECS service.
- On ECS dashboard, select cluster you want to check.
- Click on ECS Instances tab available on the main page of cluster details.
- Select the container instance you want to examine under ECS Instances.
- Verify the status, it should be 'ACTIVE' rather than 'DRAINING'
Note: Follow this link to troubleshoot disconnected Amazon ECS container instances: https://aws.amazon.com/premiumsupport/knowledge-center/ecs-agent-disconnected/
From Command Line
To verify that the container agent is running on the affected container instance, run the following command:
sudo status ecs
If the container agent isn't running on your container instance, then run the following command to start the agent:
sudo start ecs
References
Amazon Elastic Container Service - Cluster
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard Network Alerts for default VPC components
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago