Quick Start Security for Amazon ECS
Thank you!
We got your information.
Coralogix Extension For Amazon ECS Includes:
Alerts - 9
Stay on top of Amazon ECS key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Cluster is deleted
This rule detects the deletion of the specified cluster. Impact An unauthorized change or deletion of a Cluster could indicate malicious activity. Mitigation Inspect the user who deleted the cluster and verify if this was an authorized action. If not, Further investigate and revert changes. MITRE Tactic: TA0005 MITRE Technique: T1578
Command executed inside a container
This rule detects execution of a command inside an ECS container. Impact Command executed by the anonymous user could indicate malicious activity. Mitigation Review the command which has been executed and determine how could an anonymous user execute command. Revert all the changes and investigate further and perform root cause analysis. MITRE Tactic: TA0001 MITRE Technique: T1078
Task is stopped
This rule detects if a task is stopped in ECS. Impact An unauthorized stop action on a task could indicate malicious activity. Mitigation Review the task which has been stopped and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was stopped. MITRE Tactic: TA0003 MITRE Technique: T1053
Service is deleted
This rule detects if a service is deleted in ECS. Impact An unauthorized change or deletion of a service could indicate malicious activity. Mitigation Review the deleted service and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was deleted. MITRE Tactic: TA0005 MITRE Technique: T1578
Task is run or started
This rule detects if a new task is started in ECS. Impact An unauthorized run or start action on a task could indicate malicious activity. Mitigation Review the task which has been started or run and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was started or run. MITRE Tactic: TA0003 MITRE Technique: T1053
Service is created
This rule detects if a new service is created in ECS. Impact An unauthorized creation of a service could indicate malicious activity. Mitigation Inspect the user who created the service and verify if this was an authorized action. If not, Further investigate and revert changes. MITRE Tactic: TA0005 MITRE Technique: T1578
RegisterTaskDefinition with Resource-Intensive Parameters
This alert will trigger when an AWS API call for RegisterTaskDefinition on ECS is logged, with container definition values for CPU and Memory exceeding a certain threshold that is considered safe. Impact An attacker may register a task definition with resource-intensive parameters (Many CPUs, large memory allocation), leading to resource exhaustion Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496
RunTask with High TaskCount
This alert will trigger when an AWS API call for RunTask on ECS is logged, with a high TaskCount value. Impact An attacker may attempt to exhaust resources by running an unusually high number of tasks within an ECS cluster. Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496
UpdateService with High DesiredCount
This alert will trigger when an AWS API call for UpdateService on ECS is logged, with a high DesiredCount value. Impact An attacker may try to exhaust ECS cluster resources by increasing the desired count of a service to an unusually high value. Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496
Integration
Learn more about Coralogix's out-of-the-box integration with Amazon ECS in our documentation.