On the ECS Dashboard, click on Clusters in the left-hand menu to see a list of ECS clusters.
Select a cluster to explore its configuration, including services, tasks, and networking.
Services:
Within a selected cluster, go to the Services tab to view the services running on the cluster. Click on a service to access its details, including the task definition, deployment configuration, and health checks.
Task Definitions:
In the left-hand menu, select Task Definitions to see a list of defined tasks. Choose a task definition to review its container settings, including image location, resource allocation, environment variables, and networking.
3. Exploring the AWS Well-Architected Framework Pillars
Under Task Definitions, select a task definition and review its Container definitions. Ensure that the task is configured with appropriate CPU and memory allocations. These settings impact the container's performance and resource usage.
Logging and Monitoring:
In the task definition's Container definitions section, check if Log configuration is enabled (e.g., using Amazon CloudWatch Logs). Proper logging helps monitor container performance and troubleshoot issues efficiently.
Service Deployments:
Under Clusters, select a cluster and then a Service to review its Deployment configuration. Ensure that the Minimum healthy percent and Maximum percent values are set to allow for smooth deployments without affecting the running application.
Events and Health Checks:
Within a cluster's Service tab, navigate to Events to monitor the status of the service and identify any operational issues (e.g., failed tasks, deployment issues). Implementing health checks ensures that only healthy containers handle traffic.
In the Task Definitions, review the Task execution role. This IAM role allows ECS tasks to interact with other AWS services (e.g., pulling images from ECR). Ensure that the role follows the principle of least privilege, granting only necessary permissions.
Environment Variables:
In the task definition's Container definitions, review Environment variables for any sensitive information (e.g., API keys, credentials). Use AWS Secrets Manager or Parameter Store to securely manage and inject sensitive data.
Network Configuration:
Under a selected Service, check the Networking section to ensure that tasks run in the appropriate VPC and subnets (preferably private subnets). Also, verify the associated Security groups to confirm that only necessary ports are open.
Encryption:
In the Task Definitions, review if Encryption in transit is enabled for container communication (e.g., using HTTPS). For sensitive workloads, also ensure that data at rest is encrypted using EBS volume encryption for any mounted storage.
Within the Service details, check if Service Auto Scaling is enabled. Auto Scaling ensures that the service can automatically adjust the number of running tasks based on metrics (e.g., CPU or memory utilization), improving reliability under varying loads.
Task Definition Revisions:
In the Task Definitions section, review the revisions of task definitions. Proper versioning allows you to roll back to previous stable configurations if a deployment fails, enhancing reliability.
Health Check Settings:
For each Service within a cluster, ensure that Health checks are configured. Health checks help the service maintain reliability by automatically replacing failed tasks with new ones.
In the Task Definitions, check the CPU and memory settings for containers. Ensure that the resource allocation matches the application's requirements to avoid over-provisioning and unnecessary costs.
Service Auto Scaling:
If Service Auto Scaling is enabled, review the scaling policies to ensure they are based on appropriate metrics (e.g., CPU, memory utilization). This helps optimize costs by running the right number of tasks according to demand.
Image Optimization:
Under Task Definitions, review the Image configurations to verify that you are using optimized, lightweight container images. Smaller images result in faster start times and reduced storage and network costs.
Log Retention:
Check the Log configuration in the task definition. If using CloudWatch Logs, ensure that a log retention policy is set to avoid accumulating unnecessary logs, which can lead to increased storage costs.
In the Task Definitions, review the Network mode (e.g., awsvpc). Ensure that the network mode is optimized for your application requirements. The awsvpc mode provides each task with its own network interface, improving network performance.
Scaling Policies:
Under the Service details, check the Auto Scaling configuration. Ensure that scaling policies are based on appropriate performance metrics to automatically adjust the number of running tasks based on real-time demand, optimizing resource utilization.
Task Placement:
In the Service settings, review the Task placement strategy (e.g., binpack, random, spread) to optimize how tasks are distributed across the available infrastructure. Proper placement strategies can improve the overall performance of your application.
Use CloudWatch to monitor ECS metrics such as CPUUtilization and MemoryUtilization for the tasks. Regular monitoring helps identify performance bottlenecks and ensure cost-effective resource usage.
Log in to the AWS Management Console of securitytooling account.
AWS Config and Security Hub:
If AWS Config and Security Hub are enabled, review the findings related to ECS to ensure that your configurations meet security and compliance best practices.