Runtime coverage and troubleshooting for Amazon ECS clusters
The runtime coverage for Amazon ECS clusters includes the tasks running on AWS Fargate and Amazon ECS container instances1.
For an Amazon ECS cluster that runs on Fargate, the runtime coverage is assessed at the task level. The ECS clusters runtime coverage includes those Fargate tasks that have started running after you have enabled Runtime Monitoring and automated agent configuration for Fargate (ECS only). By default, a Fargate task is immutable. GuardDuty will not be able to install the security agent to monitor containers on already running tasks. To include such a Fargate task, you must stop and start the task again. Make sure to check if the associated service is supported.
For information about Amazon ECS container, see Capacity creation.
Contents
Reviewing coverage statistics
The coverage statistics for the Amazon ECS resources associated with your own account or your member accounts is the percentage of the healthy Amazon ECS clusters over all the Amazon ECS clusters in the selected AWS Region. This includes the coverage for Amazon ECS clusters associated with both Fargate and Amazon EC2 instances. The following equation represents this as:
(Healthy clusters/All clusters)*100
Considerations
-
The coverage statistics for the ECS cluster include the coverage status of the Fargate tasks or ECS container instances associated with that ECS cluster. The coverage status of the Fargate tasks include tasks that either are in running state or have recently finished running.
-
In the ECS clusters runtime coverage tab, the Container instances covered field indicates the coverage status of the container instances associated with your Amazon ECS cluster.
If your Amazon ECS cluster contains only Fargate tasks, the count appears as 0/0.
-
If your Amazon ECS cluster is associated with an Amazon EC2 instance that doesn't have a security agent, the Amazon ECS cluster will also have an Unhealthy coverage status.
To identify and troubleshoot the coverage issue for the associated Amazon EC2 instance, see Troubleshooting Amazon EC2 runtime coverage issues for Amazon EC2 instances.
Choose one of the access methods to review the coverage statistics for your accounts.
For more information about coverage issues, see Troubleshooting Amazon ECS-Fargate runtime coverage issues.
Coverage status change with EventBridge notifications
The coverage status of your Amazon ECS cluster might appear as Unhealthy. To know when the coverage status changes, we recommend you to monitor the coverage status periodically, and troubleshoot if the status becomes Unhealthy. Alternatively, you can create an Amazon EventBridge rule to receive a notification when the coverage status changes from either Unhealthy to Healthy or otherwise. By default, GuardDuty publishes this in the EventBridge bus for your account.
Sample notification schema
In an EventBridge rule, you can use the pre-defined sample events and event patterns to receive coverage status notification. For more information about creating an EventBridge rule, see Create rule in the Amazon EventBridge User Guide.
Additionally, you can create a custom event pattern by using the following example
notification schema. Make sure to replace the values for your account. To get notified when the
coverage status of your Amazon ECS cluster changes from Healthy
to
Unhealthy
, the detail-type
should be GuardDuty Runtime
Protection Unhealthy
. To get notified when the coverage status changes from
Unhealthy
to Healthy
, replace the value of detail-type
with GuardDuty Runtime Protection Healthy
.
{ "version": "0", "id": "event ID", "detail-type": "GuardDuty Runtime Protection Unhealthy", "source": "aws.guardduty", "account": "AWS account ID", "time": "event timestamp (string)", "region": "AWS Region", "resources": [ ], "detail": { "schemaVersion": "1.0", "resourceAccountId": "string", "currentStatus": "string", "previousStatus": "string", "resourceDetails": { "resourceType": "ECS", "ecsClusterDetails": { "clusterName":"", "fargateDetails":{ "issues":[], "managementType":"" }, "containerInstanceDetails":{ "coveredContainerInstances":int, "compatibleContainerInstances":int } } }, "issue": "string", "lastUpdatedAt": "timestamp" } }
Troubleshooting Amazon ECS-Fargate runtime coverage issues
If the coverage status of your Amazon ECS cluster is Unhealthy, you can view the reason under the Issue column.
The following table provides the recommended troubleshooting steps for Fargate (Amazon ECS only) issues. For information about Amazon EC2 instance coverage issues, see Troubleshooting Amazon EC2 runtime coverage issues for Amazon EC2 instances.
Issue type | Extra information | Recommended troubleshooting steps |
---|---|---|
Agent not reporting |
Agent not reporting for tasks in |
Validate that the VPC endpoint for your Amazon ECS cluster's task is correctly configured. For more information, see Validating VPC endpoint configuration. If your organization has a service control policy (SCP), validate that permissions
boundary is not restricting the |
|
View the VPC issue details in the extra information. |
|
Agent exited |
ExitCode: |
View the issue details in the extra information. |
Reason: |
||
ExitCode: |
||
Agent exited: Reason: |
The task execution role must have the following Amazon Elastic Container Registry (Amazon ECR) permissions:
For more information, see Provide ECR permissions and subnet details. After you add the Amazon ECR permissions, you must restart the task. If the issue persists, see My AWS Step Functions workflow is failing unexpectedly. |
|
VPC Endpoint Creation Failed |
Enabling private DNS requires both |
Ensure that the following VPC attributes are set to If you're using Amazon VPC Console at https://console.aws.amazon.com/vpc/ |
Agent not provisioned |
Unsupported invocation by |
This task was invoked by a |
Unsupported CPU architecture ' |
This task is running on an unsupported CPU architecture. For information about supported CPU architectures, see Validating architectural requirements. |
|
|
The ECS task execution role is missing. For information about providing task execution role and required permissions, see Provide ECR permissions and subnet details. |
|
Missing network configuration
' |
Network configuration issues may show up because of missing VPC configuration, or missing or empty subnets. Validate that your network configuration is correct. For more information, see Provide ECR permissions and subnet details. For more information, see Amazon ECS task definition parameters in the Amazon Elastic Container Service Developer Guide. |
|
Others |
Unidentified issue, for tasks in |
Use the following questions to identify the root cause of the issue:
|