Ensure container insights are enabled on ECS cluster

Error: Container insights are not enabled on ECS cluster

Bridgecrew Policy ID: BC_AWS_LOGGING_11
Checkov Check ID: CKV_AWS_65
Severity: MEDIUM

Container insights are not enabled on ECS cluster

Description

Container Insights can be used to collect, aggregate, and summarize metrics and logs from containerized applications and microservices. They can also be extended to collect metrics at the cluster, task, and service levels. Using Container Insights allows you to monitor, troubleshoot, and set alarms for all your Amazon ECS resources. It provides a simple to use native and fully managed service for managing ECS issues.

We recommend that for existing clusters you use the AWS CLI; and for new clusters, you use either the Amazon ECS console, or the AWS CLI.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon ECS console.
  3. In the navigation pane, choose Account Settings.
  4. To enable the Container Insights default opt-in, check the box at the bottom of the page.

CLI Command

You can use the AWS CLI to set account-level permission to enable Container Insights for any new Amazon ECS clusters created in your account. To do so, enter the following command.

aws ecs put-account-setting 
--name "containerInsights" 
--value "enabled"

Fix - Buildtime

Terraform

  • Resource: aws_ecs_cluster
  • Argument: setting
resource "aws_ecs_cluster" "foo" {
  ...
  name = "white-hart"
+ setting {
+   name  = "containerInsights"
+   value = "enabled"
+ }
}

CloudFormation

  • Resource: AWS::ECS::Cluster
  • Argument: Properties.ClusterSettings
Resources:
  ECSCluster:
    Type: 'AWS::ECS::Cluster'
    Properties:
      ...
+     ClusterSettings:
+       - Name: 'containerInsights'
+         Value: 'enabled'

Did this page help you?