ECS Clusters Have Container Insights Enabled

Overview

This check verifies that your Amazon ECS clusters have CloudWatch Container Insights enabled. Container Insights collects performance metrics and logs from your containerized applications, giving you visibility into CPU usage, memory consumption, network traffic, and task restarts.

Risk

Without Container Insights, you lose visibility into what is happening inside your ECS clusters. This makes it harder to:

• Detect performance problems like CPU or memory spikes
• Identify containers that are restarting unexpectedly
• Troubleshoot slow or failing services
• Spot unusual activity that could indicate a security issue (e.g., cryptomining or data exfiltration)

Enabling Container Insights helps you catch problems early and respond quickly.

Remediation Steps

Prerequisites

You need permission to modify ECS cluster settings. Typically this means having the ecs:UpdateClusterSettings permission.

Required IAM permissions

To enable Container Insights, your IAM user or role needs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:UpdateClusterSettings",
        "ecs:DescribeClusters"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon ECS console
2. In the left navigation, click Clusters
3. Click on the cluster name you want to update
4. Click the Update cluster button (top right)
5. Under Monitoring, find CloudWatch Container Insights
6. Select Enhanced (recommended) or Use Container Insights
7. Click Update

Repeat for each cluster that needs Container Insights enabled.

AWS CLI (optional)

Enable Container Insights on an existing cluster:

aws ecs update-cluster-settings \
  --cluster <your-cluster-name> \
  --settings name=containerInsights,value=enabled \
  --region us-east-1

For enhanced observability (provides additional metrics):

aws ecs update-cluster-settings \
  --cluster <your-cluster-name> \
  --settings name=containerInsights,value=enhanced \
  --region us-east-1

Enable for all clusters in your account:

for cluster in $(aws ecs list-clusters --region us-east-1 --query 'clusterArns[*]' --output text); do
  aws ecs update-cluster-settings \
    --cluster "$cluster" \
    --settings name=containerInsights,value=enabled \
    --region us-east-1
done

CloudFormation (optional)

Use the ClusterSettings property to enable Container Insights when creating a new cluster:

AWSTemplateFormatVersion: '2010-09-09'
Description: ECS Cluster with Container Insights enabled

Parameters:
  ClusterName:
    Type: String
    Default: my-ecs-cluster
    Description: Name of the ECS cluster

Resources:
  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Ref ClusterName
      ClusterSettings:
        - Name: containerInsights
          Value: enabled
      Tags:
        - Key: Environment
          Value: Production

Outputs:
  ClusterArn:
    Description: ARN of the ECS cluster
    Value: !GetAtt ECSCluster.Arn
  ClusterName:
    Description: Name of the ECS cluster
    Value: !Ref ECSCluster

Note: To use enhanced observability, change Value: enabled to Value: enhanced.

Terraform (optional)

Use the setting block to enable Container Insights:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "cluster_name" {
  description = "Name of the ECS cluster"
  type        = string
  default     = "my-ecs-cluster"
}

resource "aws_ecs_cluster" "main" {
  name = var.cluster_name

  setting {
    name  = "containerInsights"
    value = "enabled"
  }

  tags = {
    Environment = "Production"
  }
}

output "cluster_arn" {
  description = "ARN of the ECS cluster"
  value       = aws_ecs_cluster.main.arn
}

output "cluster_name" {
  description = "Name of the ECS cluster"
  value       = aws_ecs_cluster.main.name
}

Note: To use enhanced observability, change value = "enabled" to value = "enhanced".

Verification

After enabling Container Insights, verify it is working:

1. Open the Amazon ECS console
2. Click on Clusters in the left navigation
3. Select your cluster
4. Look for the Monitoring tab - you should see metrics appearing within a few minutes

Verify with AWS CLI

aws ecs describe-clusters \
  --clusters <your-cluster-name> \
  --include SETTINGS \
  --region us-east-1 \
  --query 'clusters[0].settings'

Expected output when enabled:

[
  {
    "name": "containerInsights",
    "value": "enabled"
  }
]

Additional Resources

• AWS Documentation: Amazon ECS CloudWatch Container Insights
• AWS Documentation: Container Insights metrics
• AWS Documentation: Setting up Container Insights

Notes

• Cost consideration: Container Insights incurs CloudWatch charges based on the metrics collected. Review the CloudWatch pricing page to understand potential costs.
• Enhanced vs Standard: The "enhanced" setting provides additional task and container-level metrics with curated dashboards. Use "enabled" for standard Container Insights if you want basic cluster metrics at lower cost.
• Account-level default: You can set Container Insights as the default for all new clusters in your account using aws ecs put-account-setting-default --name containerInsights --value enabled.
• Cluster name reuse warning: If you delete a cluster without Container Insights and recreate it with the same name with Container Insights enabled, you must wait 7 days for the setting to take effect properly.