Risk Level: Low
Cloud Entity: Amazon ECS Task Definitions
CloudGuard Rule ID: D9.AWS.OPE.03
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

EcsTask should not have healthStatus = 'UNKNOWN'

REMEDIATION

From Portal
Use following steps to verify current status of task definition.

Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
Navigate to ECS.
Select the Region that contains your task definition.
In the left pane, select Task Definitions.
Verify the Status of last revision. it should be ACTIVE not UNKNOWN.

Create a new task definition revision to enable container's health check.

Navigate to ECS.
Select the Region that contains your task definition.
In the left pane, select Task Definitions.
Check the task definition and click Create new revision.
On the Create new revision of task definition page, make changes. For example, to change the existing container definitions (such as the container image, memory limits, or port mappings), select the container, make the changes, and then choose Update.
Select Create.
If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition.

Note: Follow reference section for more details on updating a service.

From Command Line
Use following command to create new task definition revision with a JSON string parameter.

Note: Container definitions is provided as a JSON string parameter with escaped double quotes.

aws ecs register-task-definition --family task_definition_family --container-definitions "[{\"name\":\"sleep\",\"image\":\"busybox\",\"cpu\":10,\"command\":[\"sleep\",\"360\"],\"memory\":10,\"essential\":true}]"

Use following command to change the task definition used in a service.

aws ecs update-service --service service_name --task-definition task_definition_ARN

References

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_healthcheck
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-task-definition-classic.html
https://aws.amazon.com/premiumsupport/knowledge-center/ecs-task-container-health-check-failures/
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/register-task-definition.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/update-service.html

Amazon ECS Task Definitions

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
CloudGuard AWS All Rules Ruleset