HIGH ECS

ECS task logging

Check ID: aws-ecs-002

AWS-ECS-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for ECS task definitions with containers that have no log configuration. Without logging, container output is lost.

Why it matters

Without log configuration, container stdout/stderr output is silently discarded. When a container crashes at 3 AM, you have no error messages, stack traces, or application output to diagnose the failure. Security events like unauthorized access attempts, malformed requests, or dependency vulnerabilities logged by the application are also lost. In incident response scenarios, the lack of container logs creates critical evidence gaps. AWS ECS supports multiple log drivers (awslogs, splunk, fluentd, firelens), with awslogs being the simplest integration - logs go directly to CloudWatch Logs where they can be searched, alarmed on, and retained according to your policy. The cost is typically under $1/month per task for standard log volumes.

Common causes

Logging configuration is omitted when teams create task definitions quickly through the CLI or copy JSON templates that do not include the logConfiguration block. Engineers new to ECS may not realize that container output is silently discarded unless a log driver is explicitly configured. Some teams skip logging on short-lived batch tasks or sidecar containers, not realizing these are often the containers most in need of debugging visibility.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Add logConfiguration to the container definition JSON:
# "logConfiguration": {
#   "logDriver": "awslogs",
#   "options": {
#     "awslogs-group": "/ecs/FAMILY",
#     "awslogs-region": "REGION",
#     "awslogs-stream-prefix": "ecs"
#   }
# }

Remediation: Terraform

resource "aws_ecs_task_definition" "task" {
  container_definitions = jsonencode([{
    name = "container"
    logConfiguration = {
      logDriver = "awslogs"
      options = {
        "awslogs-group"         = "/ecs/family"
        "awslogs-region"        = "eu-central-1"
        "awslogs-stream-prefix" = "ecs"
      }
    }
  }])
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related ECS checks

CRITICAL aws-ecs-001

ECS privileged containers

MEDIUM aws-ecs-003

ECS Exec enabled

← All checks