Skill323 repo starsupdated today
cis-aws-compute-3.8
This Claude Code skill audits and remediates Amazon ECS Fargate services to ensure they run on the latest platform version, delivering current security patches and performance enhancements. Use this skill when conducting AWS infrastructure compliance reviews or when standardizing Fargate deployments across multiple clusters and services to maintain up-to-date platform configurations.
Install in Claude Code
Copygit clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-3.8 && cp -r /tmp/cis-aws-compute-3.8/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-3.8 ~/.claude/skills/cis-aws-compute-3.8Then start a new Claude Code session; the skill loads automatically.
Definition
SKILL.md
# Ensure Amazon ECS Fargate services are using the latest Fargate platform version ## Description Ensure that Amazon ECS Fargate services use the latest Fargate platform version to benefit from the latest security enhancements, performance improvements, and feature updates. ## Rationale Using the latest Fargate platform version ensures services benefit from up-to-date security patches and features. ## Impact Updating to the latest Fargate platform version may require minor operational effort. ## Audit Procedure ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Clusters`. 3. Click the name of a cluster. 4. Under `Services`, from the `Filter launch type` drop-down menu, select `FARGATE`. 5. Click the name of a service. 6. Click `Configuration and networking`. 7. Under `Service configuration`, ensure `Platform version` is set to `1.4.0` or `LATEST` for Linux, or `1.0.0` or `LATEST` for Windows. 8. Repeat steps 1-7 for each ECS cluster and Fargate service. ### Using AWS CLI Run the following command to list clusters: ``` aws ecs list-clusters ``` Run the following command to list services in a cluster: ``` aws ecs list-services --cluster <cluster-arn> ``` Run the following command to view the details of a service: ``` aws ecs describe-services --cluster <cluster-arn> --services <service-arn> --query 'services[*].[platformFamily,platformVersion]' --output table ``` Where `platformFamily` is `Linux`, ensure `platformVersion` is `1.4.0` or `LATEST`. Where `platformFamily` is `Windows`, ensure `platformVersion` is `1.0.0` or `LATEST`. Repeat for each cluster and service. ## Expected Result All Fargate services should be using platform version `1.4.0`/`LATEST` (Linux) or `1.0.0`/`LATEST` (Windows). ## Remediation ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Clusters`. 3. Click the name of a cluster. 4. Under `Services`, from the `Filter launch type` drop-down menu, select `FARGATE`. 5. Click the name of a service. 6. Click `Update service`. 7. Expand the `Compute configuration (advanced)` section. 8. Under `Platform version`, select `LATEST` from the drop-down menu. 9. Click `Update`. 10. Repeat steps 1-9 for each ECS cluster and Fargate service requiring remediation. ### Using AWS CLI For each service requiring remediation, run the following command to set `platformVersion` to `LATEST`: ``` aws ecs update-service --cluster <cluster-arn> --service <service-arn> --platform-version LATEST ``` ## Default Value The platform version for Fargate services is `LATEST` by default. ## References 1. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform-fargate.html 2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/list-clusters.html 3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/list-services.html 4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-services.html ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | ----------------------------------------------------- | ---- | ---- | ---- | | v8 | 2.2 Ensure Authorized Software is Currently Supported | x | x | x | | v7 | 2.2 Ensure Software is Supported by Vendor | x | x | x | ## Profile Level 1 | Automated
More from this repository
cis-aws-compute-10.1Skill
Ensure Managed Platform updates is configured
cis-aws-compute-10.2Skill
Ensure Persistent logs is setup and configured to S3
cis-aws-compute-10.3Skill
Ensure access logs are enabled
cis-aws-compute-10.4Skill
Ensure that HTTPS is enabled on load balancer
cis-aws-compute-11.1Skill
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
cis-aws-compute-12.1Skill
Ensure AWS Config is Enabled for Lambda and Serverless
cis-aws-compute-12.10Skill
Ensure Lambda functions do not allow unknown cross account access via permission policies
cis-aws-compute-12.11Skill
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates