Risk Level: High
Cloud Entity: Amazon Elastic Container Service - Cluster
CloudGuard Rule ID: D9.AWS.NET.33
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

EcsCluster should not have containerInstances contain [ agentConnected = false and status != 'DRAINING' ]

REMEDIATION

From Portal

Login to the AWS Management Console and navigate to ECS service.
On ECS dashboard, select cluster you want to check.
Click on ECS Instances tab available on the main page of cluster details.
Select the container instance you want to examine under ECS Instances.
Verify the status, it should be 'ACTIVE' rather than 'DRAINING'

Note: Follow this link to troubleshoot disconnected Amazon ECS container instances: https://aws.amazon.com/premiumsupport/knowledge-center/ecs-agent-disconnected/

From Command Line
To verify that the container agent is running on the affected container instance, run the following command:

sudo status ecs

If the container agent isn't running on your container instance, then run the following command to start the agent:

sudo start ecs

References

https://aws.amazon.com/premiumsupport/knowledge-center/ecs-agent-disconnected/

Amazon Elastic Container Service - Cluster

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard Network Alerts for default VPC components
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
CloudGuard AWS All Rules Ruleset