cis-aws-compute-3.9
This skill validates that AWS CloudWatch Container Insights monitoring is enabled for Amazon ECS clusters. Use this control to audit and enforce container performance visibility, resource usage tracking, and anomaly detection across ECS deployments, which improves security posture and operational troubleshooting capabilities.
git clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-3.9 && cp -r /tmp/cis-aws-compute-3.9/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-3.9 ~/.claude/skills/cis-aws-compute-3.9SKILL.md
# Ensure monitoring is enabled for Amazon ECS clusters ## Description Enable AWS CloudWatch Container Insights for Amazon ECS clusters to monitor resource usage, performance, and application health through metrics and logs. ## Rationale Monitoring ECS clusters with Container Insights improves visibility, supports faster issue detection, and enhances security by identifying anomalies and resource bottlenecks. ## Impact Enabling AWS CloudWatch Container Insights for ECS clusters incurs costs for metrics, log ingestion, storage, and alarms. ## Audit Procedure ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Clusters`. 3. For each cluster listed in the `CloudWatch monitoring` column, ensure that `Container Insights` is displayed. ### Using AWS CLI Run the following command to list clusters: ``` aws ecs list-clusters ``` Run the following command to view the settings for a cluster: ``` aws ecs describe-clusters --clusters <cluster-arn> --include SETTINGS --query 'clusters[*].settings' ``` Ensure `containerInsights` is set to `enabled` or `enhanced`. ## Expected Result `containerInsights` should be set to `enabled` or `enhanced` for all ECS clusters. ## Remediation ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Clusters`. 3. Click the name of a cluster. 4. Click `Update cluster`. 5. Under `Monitoring`, select the radio button next to `Container Insights` or `Container Insights with enhanced observability`. 6. Click `Update`. 7. Repeat steps 1-6 for each ECS cluster requiring remediation. ### Using AWS CLI For each cluster requiring remediation, run the following command to enable `containerInsights`: ``` aws ecs update-cluster-settings --cluster <cluster-arn> --settings name=containerInsights,value=enabled ``` ## Default Value Monitoring is disabled by default for Amazon ECS clusters. ## References 1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html 2. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/container-insights-detailed-ecs-metrics.html ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | ------------------------------- | ---- | ---- | ---- | | v8 | 8.5 Collect Detailed Audit Logs | | x | x | | v7 | 6.3 Enable Detailed Logging | | x | x | ## Profile Level 2 | Automated
Ensure Managed Platform updates is configured
Ensure Persistent logs is setup and configured to S3
Ensure access logs are enabled
Ensure that HTTPS is enabled on load balancer
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
Ensure AWS Config is Enabled for Lambda and Serverless
Ensure Lambda functions do not allow unknown cross account access via permission policies
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates