Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon ECS

Amazon ECS
Amazon ECS icon

Coralogix Extension For Amazon ECS Includes:

Alerts - 9

Stay on top of Amazon ECS key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Cluster is deleted

This rule detects the deletion of the specified cluster. Impact An unauthorized change or deletion of a Cluster could indicate malicious activity. Mitigation Inspect the user who deleted the cluster and verify if this was an authorized action. If not, Further investigate and revert changes. MITRE Tactic: TA0005 MITRE Technique: T1578

Command executed inside a container

This rule detects execution of a command inside an ECS container. Impact Command executed by the anonymous user could indicate malicious activity. Mitigation Review the command which has been executed and determine how could an anonymous user execute command. Revert all the changes and investigate further and perform root cause analysis. MITRE Tactic: TA0001 MITRE Technique: T1078

Task is stopped

This rule detects if a task is stopped in ECS. Impact An unauthorized stop action on a task could indicate malicious activity. Mitigation Review the task which has been stopped and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was stopped. MITRE Tactic: TA0003 MITRE Technique: T1053

Service is deleted

This rule detects if a service is deleted in ECS. Impact An unauthorized change or deletion of a service could indicate malicious activity. Mitigation Review the deleted service and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was deleted. MITRE Tactic: TA0005 MITRE Technique: T1578

Task is run or started

This rule detects if a new task is started in ECS. Impact An unauthorized run or start action on a task could indicate malicious activity. Mitigation Review the task which has been started or run and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was started or run. MITRE Tactic: TA0003 MITRE Technique: T1053

Service is created

This rule detects if a new service is created in ECS. Impact An unauthorized creation of a service could indicate malicious activity. Mitigation Inspect the user who created the service and verify if this was an authorized action. If not, Further investigate and revert changes. MITRE Tactic: TA0005 MITRE Technique: T1578

RegisterTaskDefinition with Resource-Intensive Parameters

This alert will trigger when an AWS API call for RegisterTaskDefinition on ECS is logged, with container definition values for CPU and Memory exceeding a certain threshold that is considered safe. Impact An attacker may register a task definition with resource-intensive parameters (Many CPUs, large memory allocation), leading to resource exhaustion Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496

RunTask with High TaskCount

This alert will trigger when an AWS API call for RunTask on ECS is logged, with a high TaskCount value. Impact An attacker may attempt to exhaust resources by running an unusually high number of tasks within an ECS cluster. Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496

UpdateService with High DesiredCount

This alert will trigger when an AWS API call for UpdateService on ECS is logged, with a high DesiredCount value. Impact An attacker may try to exhaust ECS cluster resources by increasing the desired count of a service to an unusually high value. Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496

Integration

Learn more about Coralogix's out-of-the-box integration with Amazon ECS in our documentation.

Read More
Schedule Demo