ECS task definition has logging configured for all containers
ecs_task_definitions_logging_enabled
Amazon ECS task definition containers specify a logging configuration with a non-null logDriver for every container in the latest active revision.
Risk
Absent container logs erode visibility, letting intrusions, data exfiltration, and configuration tampering go undetected.
Missing audit trails weaken confidentiality and integrity, hinder forensics, and increase MTTR during outages, impacting availability and compliance evidence.
prowler aws --checks ecs_task_definitions_logging_enabled
Recommendation
Implement centralized, tamper-resistant container logging for all tasks. Define a logDriver per container and ship logs to a managed destination with restricted access. Apply least privilege, encryption, and retention. Monitor and alert on anomalies. If using external collectors, ensure equivalent coverage and durability.
Remediation
aws ecs register-task-definition --family <task-family> --container-definitions '[{"name":"<container-name>","image":"<image>","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-group":"<log-group>","awslogs-region":"<region>"}}}]'
- In the AWS Console, go to Amazon ECS > Task Definitions
- Select your task definition and click Create new revision
- For each container, open Edit and set Log configuration to awslogs
- Set Log group to the desired CloudWatch Logs group and select the Region
- Save and Create to register the new revision (ensure all containers have logging)
Source Code
Resource Type
AwsEcsTaskDefinition