Risk Level: Low
Cloud Entity: Amazon Elastic Container Service - Cluster
CloudGuard Rule ID: D9.AWS.NET.34
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcsCluster should not have containerInstances length() = 0

REMEDIATION

From Portal
Use following steps to verify container instances are registered with ECS clusters.

Login to the AWS Management Console and navigate to ECS service.
On ECS dashboard, select cluster you want to check.
Click on ECS Instances tab available on the main page of cluster details.
Select the container instance you want to examine under ECS Instances.
Verify there is at least one instance is registered with that ECS cluster.

Use following steps to delete a cluster.

Open the Amazon ECS console at https://console.aws.amazon.com/ecs/.
From the navigation bar, select the Region to use.
In the navigation pane, choose Clusters.
On the Clusters page, select the cluster to delete.
In the upper-right of the page, choose Delete Cluster. You see a confirmation prompt.
In the confirmation box, enter delete me.

Use following steps to register instances with the ECS Cluster.

Open the new console at https://console.aws.amazon.com/ecs/v2.
From the navigation bar, select the Region to use.
In the navigation pane, choose Clusters.
On the Clusters page, choose a cluster to register your external instance to.
On the Cluster : name page, choose the Infrastructure tab.
On the Register external instances page, complete the following steps.
a. For Activation key duration (in days), enter the number of days that the activation key remains active for. After the number of days you entered pass, the key no longer works when registering an external instance.
b. For Number of instances, enter the number of external instances that you want to register to your cluster with the activation key.
c. For Instance role, choose the IAM role to associate with your external instances. If a role wasn't already created, choose Create new role to have Amazon ECS create a role on your behalf. For more information about what IAM permissions are required for your external instances, see Required IAM permissions for external instances.
d. Copy the registration command. This command should be run on each external instance you want to register to the cluster.
Note: The bash portion of the script must be run as root. If the command isn't run as root, an error is returned.
e. Choose Close.

From Command Line
Use following commands to register an existing external instance with a different Cluster.
a. Stop the Amazon ECS container agent.

Stop-Service AmazonECS

b. Modify the ECS_CLUSTER parameter so that the cluster name matches the name of the cluster to register the external instance with.

[Environment]::SetEnvironmentVariable(ECS_CLUSTER, $ECSCluster, [System.EnvironmentVariableTarget]::Machine)

c. Remove the existing Amazon ECS agent data.

Remove-Item -Recurse -Force $env:ProgramData"Amazon"ECS"data"*

d. Start the Amazon ECS container agent.

Start-Service AmazonECS

Use following delete-cluster command to delete the specified empty cluster:

aws ecs delete-cluster --cluster CLUSTER_NAME

References

Amazon Elastic Container Service - Cluster

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard Network Alerts for default VPC components
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
CloudGuard AWS All Rules Ruleset