AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Latest ECS Fargate Platform Version Should Be Set
More Info:
This rule checks if ECS Fargate services are set to the latest platform version. It is marked as NON_COMPLIANT if the PlatformVersion for the Fargate launch type is not set to LATEST or if neither latestLinuxVersion nor latestWindowsVersion are provided as parameters.
Risk Level
Medium
Address
Security
Compliance Standards
CBP,SEBI
Triage and Remediation
Remediation
To remediate the misconfiguration of the latest ECS Fargate platform version not being set in AWS, follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://console.aws.amazon.com/) and login with your credentials.
-
Navigate to ECS: In the AWS Management Console, navigate to the ECS (Elastic Container Service) service by either searching for it in the services search bar or by selecting it from the list of recently visited services.
-
Select the Cluster: From the ECS dashboard, select the cluster where your Fargate tasks are running that you want to update the platform version for.
-
View Services: In the cluster view, click on the “Services” tab to view the list of services running in the cluster.
-
Select Service: Identify the service for which you want to update the ECS Fargate platform version and click on the service name to view its details.
-
Update Task Definition: In the service details page, locate the “Task Definition” section and click on the task definition name to view its details.
-
Create New Revision: In the task definition details page, click on the “Create new revision” button to create a new revision of the task definition.
-
Update Platform Version: In the task definition editor, scroll down to the “Fargate platform version” section and select the latest platform version available from the dropdown list.
-
Review and Save: Review the other configurations in the task definition if needed and then click on the “Create” button to save the new revision of the task definition with the updated Fargate platform version.
-
Update Service: Once the new task definition revision is created, go back to the service details page, click on the “Update” button, and select the newly created task definition revision with the updated Fargate platform version.
-
Update Service: Review the update strategy and click on the “Next step” button, then review the service configuration and click on the “Next step” button again.
-
Update Service: Finally, click on the “Update Service” button to apply the changes and update the service with the new task definition revision using the latest ECS Fargate platform version.
By following these steps, you will successfully remediate the misconfiguration of not having the latest ECS Fargate platform version set in AWS ECS for your Kubernetes cluster.
To remediate the misconfiguration of the latest ECS Fargate platform version not being set in AWS Kubernetes using AWS CLI, follow these steps:
-
List the available ECS Fargate platform versions using the following AWS CLI command:
aws ecs list-account-settings --name serviceLongArnFormat -
Identify the latest ECS Fargate platform version from the list of available versions.
-
Set the latest ECS Fargate platform version using the following AWS CLI command:
aws ecs put-account-setting-default --name serviceLongArnFormat --value <latest_fargate_platform_version>Replace
<latest_fargate_platform_version>with the actual latest ECS Fargate platform version identified in step 2. -
Verify that the latest ECS Fargate platform version has been successfully set by running the following AWS CLI command:
aws ecs list-account-settings --name serviceLongArnFormat
By following these steps, you can successfully remediate the misconfiguration of not having the latest ECS Fargate platform version set in AWS Kubernetes using AWS CLI.
To remediate the misconfiguration of not having the latest ECS Fargate Platform version set in AWS Kubernetes using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
pip install boto3
- Use the following Python script to update the ECS Fargate Platform version in your AWS Kubernetes cluster:
import boto3
# Initialize the ECS client
ecs_client = boto3.client('ecs')
# Get the list of ECS clusters in your account
response = ecs_client.list_clusters()
clusters = response['clusterArns']
# Iterate over each cluster
for cluster in clusters:
# Describe the cluster to get the settings
cluster_details = ecs_client.describe_clusters(clusters=[cluster])
cluster_settings = cluster_details['clusters'][0]['settings']
# Check if the Fargate platform version is already set to the latest version
for setting in cluster_settings:
if setting['name'] == 'containerInsights':
if setting['value'] != 'enabled':
# Update the Fargate platform version to the latest version
response = ecs_client.update_cluster_settings(
cluster=cluster,
settings=[
{
'name': 'containerInsights',
'value': 'enabled'
},
]
)
print(f"Updated ECS Fargate Platform version for cluster {cluster}.")
- Run the Python script on your local machine or any environment where you have the necessary permissions to update ECS clusters.
This script will iterate through all the ECS clusters in your AWS account, check if the Fargate platform version is set to the latest version, and update it if necessary.
Make sure to configure your AWS credentials properly to allow the script to access and update the ECS clusters.