Ensure that at least one Load Balancer is attached to the service
Your Amazon ECS service should be configured to use Elastic Load Balancing to distribute traffic evenly across the tasks in your service.
Risk Level: Medium
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.NET.38
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
EcsService should have loadBalancers length()>0
REMEDIATION
Load balancing settings can only be set on service creation. In order to verify the presence of a Load Balancer, please perform the following steps:
From Portal
- Login to the AWS Management Console and open ECS at https://console.aws.amazon.com/ecs/home.
- Navigate to Cluster and choose the service
- In the detailed view of the cluster, select the service
- Ensure Load Balancer is present under the Target Group Name
- If there is no Load Balancer present in the Target Group Name then add a Load Balancer while creating a service.
From TF
To attach Load Balancer, either specify 'elb_name' or 'target_group_arn'
resource "aws_ecs_service" "lb_example" {
name = "example"
load_balancer {
+ elb_name = aws_elb.test.id
+ container_name = "mongo"
+ container_port = 8080
}
}
OR
resource "aws_ecs_service" "lb_example" {
name = "example"
load_balancer {
+ target_group_arn = aws_lb_target_group.test.arn
+ container_name = "mongo"
+ container_port = 8080
}
}
From Command Line
To create a service with/behind load balancer , run:
aws ecs create-service --cluster CLUSTER --service-name SERVICE_NAME --load-balancer LOAD_BALANCER --task-definition SAMPLE --desired-count 1
OR
aws ecs create-service --cluster CLUSTER --service-name SERVICE --cli-input-json file://FILE.json
NOTE : file://FILE.json is the required configuration of the AWS cloudfront in json.
References
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-application-load-balancer.html
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster
- https://docs.aws.amazon.com/cli/latest/reference/ecs/create-cluster.html
- https://docs.aws.amazon.com/cli/latest/reference/ecs/create-service.html
Amazon Elastic Container Service
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago