Scribd
Upload
45 views

SDP Amazon ECS Delivery Calibration Guide

Uploaded by

9111roshan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
45 views

SDP Amazon ECS Delivery Calibration Guide

Uploaded by

9111roshan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

ECS Delivery Technical Controls Calibration

Guide
Table of Contents
Introduc on ..................................................................................................................... 6
ECS-001: Amazon ECS Represents Majority of the Workload .............................................. 7
Requirement ...................................................................................................................... 7
Criteria for Passing ................................................................................................................... 7
Why is this important ............................................................................................................... 7
Technical Enablement Resources .............................................................................................. 7
 Amazon Elastic Container Service Documentation .......................................................... 7
Good Example Response .......................................................................................................... 7
Unacceptable Response ........................................................................................................... 7
ECS-002: Automated and Reliable Infrastructure and Workloads Deployment ................... 8
Requirement ............................................................................................................................ 8
Criteria for Passing ................................................................................................................... 8
Why is this important ............................................................................................................... 8
Technical Enablement Resources .............................................................................................. 8
Good Example Response .......................................................................................................... 8
Unacceptable Response ........................................................................................................... 8
ECS-003: Singular Business Purpose for ECS Task Defini ons .............................................. 9
Requirement ............................................................................................................................ 9
Criteria for Passing ................................................................................................................... 9
Why is this important ............................................................................................................... 9
Technical Enablement Resources .............................................................................................. 9
Good Example Response .......................................................................................................... 9
Unacceptable Response ........................................................................................................... 9
ECS-004: Tagging Strategy and Amazon ECS Managed Tags and Tag Propaga on ........... 10
Requirement .......................................................................................................................... 10
Criteria for Passing ................................................................................................................. 10
Why is this important ............................................................................................................. 10
Technical Enablement Resources ............................................................................................ 10
Good Example Response ........................................................................................................ 10
Unacceptable Response ......................................................................................................... 11
ECS-005: IAM Roles for Task Defini on Families............................................................... 11
Requirement .......................................................................................................................... 11
Criteria for Passing ................................................................................................................. 11
Why is this important ............................................................................................................. 11
Technical Enablement Resources ............................................................................................ 11
Good Example Response ........................................................................................................ 11
Unacceptable Response ......................................................................................................... 11
ECS-006: Determining Amazon ECS Task Sizes .................................................................. 12
Requirement .......................................................................................................................... 12
Criteria for Passing ................................................................................................................. 12
Why is this important ............................................................................................................. 12
Technical Enablement Resources ............................................................................................ 12
Good Example Response ........................................................................................................ 12
Unacceptable Response ......................................................................................................... 12
ECS-007: Strategy for Addressing Cluster Capacity ........................................................... 13
Requirement .......................................................................................................................... 13
Criteria for Passing ................................................................................................................. 13
Why is this important ............................................................................................................. 13
Technical Enablement Resources ............................................................................................ 13
Good Example Response ........................................................................................................ 13
Unacceptable Response ......................................................................................................... 13
ECS-008: Strategy for Leveraging Amazon EC2 Spot and Fargate Spot.............................. 14
Requirement .......................................................................................................................... 14
Criteria for Passing ................................................................................................................. 14
Why is this important ............................................................................................................. 14
Technical Enablement Resources ............................................................................................ 14
Good Example Response ........................................................................................................ 14
Unacceptable Response ......................................................................................................... 15
ECS-009: Managing Mul ple Amazon ECS Clusters .......................................................... 15
Requirement .......................................................................................................................... 15
Criteria for Passing ................................................................................................................. 15
Why is this important ............................................................................................................. 16
Technical Enablement Resources ............................................................................................ 16
Good Example Response ........................................................................................................ 16
Unacceptable Response ......................................................................................................... 16
ECS-010: Image Scanning Tool for Security ...................................................................... 16
Requirement .......................................................................................................................... 16
Criteria for Passing ................................................................................................................. 16
Why is this important ............................................................................................................. 17
Technical Enablement Resources ............................................................................................ 17
Good Example Response ........................................................................................................ 17
Unacceptable Response ......................................................................................................... 17
ECS-011: Run me Security Tool for Containerized Workloads........................................... 17
Requirement .......................................................................................................................... 17
Criteria for Passing ................................................................................................................. 18
Why is this important ............................................................................................................. 18
Technical Enablement Resources ............................................................................................ 18
Good Example Response ........................................................................................................ 18
Unacceptable Response ......................................................................................................... 18
ECS-012: Use of Op mized Opera ng Systems................................................................. 18
Requirement .......................................................................................................................... 18
Criteria for Passing ................................................................................................................. 19
Why is this important ............................................................................................................. 19
Technical Enablement Resources ............................................................................................ 19
Good Example Response ........................................................................................................ 19
Unacceptable Response ......................................................................................................... 19
ECS-013: Addressing Compliance Standards .................................................................... 19
Requirement .......................................................................................................................... 19
Criteria for Passing ................................................................................................................. 19
Why is this important ............................................................................................................. 20
Technical Enablement Resources ............................................................................................ 20
Good Example Response ........................................................................................................ 20
Unacceptable Response ......................................................................................................... 20
ECS-014: Best Prac ces for ECS Anywhere ....................................................................... 20
Requirement .......................................................................................................................... 20
Criteria for Passing ................................................................................................................. 20
Why is this important ............................................................................................................. 20
Technical Enablement Resources ............................................................................................ 21
Good Example Response ........................................................................................................ 21
Unacceptable Response ......................................................................................................... 21
ECS-015: Ingress Control for Network Traffic ................................................................... 21
Requirement .......................................................................................................................... 21
Criteria for Passing ................................................................................................................. 21
Why is this important ............................................................................................................. 21
Technical Enablement Resources ............................................................................................ 21
Good Example Response ........................................................................................................ 22
Unacceptable Response ......................................................................................................... 22
ECS-016: Addressing IP Exhaus on .................................................................................. 22
Requirement .......................................................................................................................... 22
Criteria for Passing ................................................................................................................. 22
Why is this important ............................................................................................................. 23
Technical Enablement Resources ............................................................................................ 23
Good Example Response ........................................................................................................ 23
Unacceptable Response ......................................................................................................... 23
ECS-017: Facilita ng Communica on .............................................................................. 23
Requirement .......................................................................................................................... 23
Criteria for Passing ................................................................................................................. 23
Why is this important ............................................................................................................. 23
Technical Enablement Resources ............................................................................................ 23
Good Example Response ........................................................................................................ 24
Unacceptable Response ......................................................................................................... 24
ECS-018: Observability Mechanisms ................................................................................ 24
Requirement .......................................................................................................................... 24
Criteria for Passing ................................................................................................................. 25
Why is this important ............................................................................................................. 25
Technical Enablement Resources ............................................................................................ 25
Good Example Response ........................................................................................................ 25
Unacceptable Response ......................................................................................................... 25
ECS-019: Selec ng Storage Op ons ................................................................................. 25
Requirement .......................................................................................................................... 25
Criteria for Passing ................................................................................................................. 26
Why is this important ............................................................................................................. 26
Technical Enablement Resources ............................................................................................ 26
Good Example Response ........................................................................................................ 26
Unacceptable Response ......................................................................................................... 26
ECS-020: EFS Mount Targets in Availability Zones ............................................................ 27
Requirement .......................................................................................................................... 27
Criteria for Passing ................................................................................................................. 27
Why is this important ............................................................................................................. 27
Technical Enablement Resources ............................................................................................ 27
Good Example Response ........................................................................................................ 27
Unacceptable Response ......................................................................................................... 27
ECS-021: Securing Persistent Storage .............................................................................. 27
Requirement .......................................................................................................................... 27
Criteria for Passing ................................................................................................................. 28
Why is this important ............................................................................................................. 28
Technical Enablement Resources ............................................................................................ 28
Good Example Response ........................................................................................................ 28
Unacceptable Response ......................................................................................................... 28
ECS-022: Task Placement Constraints for EBS ................................................................... 28
Requirement .......................................................................................................................... 28
Criteria for Passing ................................................................................................................. 29
Why is this important ............................................................................................................. 29
Technical Enablement Resources ............................................................................................ 29
Good Example Response ........................................................................................................ 29
Unacceptable Response ......................................................................................................... 29
ECS-023: Managing Mul -Tenant Workloads .................................................................. 29
Requirement .......................................................................................................................... 29
Criteria for Passing ................................................................................................................. 30
Why is this important ............................................................................................................. 30
Technical Enablement Resources ............................................................................................ 30
Good Example Response ........................................................................................................ 30
Unacceptable Response ......................................................................................................... 30
Resources ....................................................................................................................... 31
No ces ........................................................................................................................... 31
Introduc on
This calibra on guide is intended for AWS partners who have applied or are interested in the
Amazon ECS Delivery program. This guide only covers controls under the sec on of “Amazon
ECS Customer Reference Requirements” and the “Common Requirements” are addressed in
a separate guide.

The calibra on guide format is FAQs for each control. It is intended to provide clarity on the
expected level of details for requested evidence. It helps partner improve applica on quality
and reduce cycle me during the technical valida on process. Addi onally, partners can use
the best prac ces in this technical guide to improve their Amazon EKS related service
offerings.

Each control has the following FAQs:

Why is this important?


This sec on explains why a par cular control is essen al to be implemented from an
architectural point of view for efficient AWS WAF opera on, security, migra on etc.

What are the criteria for passing this control?


This sec on details the control and addresses ques on related to what level of informa on
is needed to pass a par cular control. It further describes the requirement so it easier for
partner to provide the response needed in self-assessment to pass it swi ly.

Technical Enablement Resources


This sec on discusses how to implement the specific control using AWS services. Partner can
implement a certain control using third party services; however, they should be able to
jus fy that the service is adhering to the standards of the AWS and mee ng the control.

What are good example responses (If applicable)?


This sec on provides good response examples that meet the control and displays the level of
depth and exper se required in the assessment.

What are unacceptable/insufficient informa on responses (if applicable)?


This sec on is composed of response examples not mee ng the requirement of the control.
ECS-001: Amazon ECS Represents Majority of the
Workload
Requirement

Amazon ECS is used to manage majority of all workloads and core data flows for the system.
Amazon Elastic Compute Cloud instances (EC2 or Fargate) should be used to manage the
underlying infrastructure of the Amazon ECS cluster.

Please provide the following as evidence:

 List of workloads/components that are being deployed to Amazon ECS


 The output of running the following command: aws ecs list-tasks

Criteria for Passing


 Specify which infrastructure technology is being used and decision criteria.
 Describe workloads/components that are not being managed by ECS.

Why is this important


This requirement ensures that partners applying to this competency are delivering solutions to
customers implemented in ECS. Partners able to do so demonstrate domain competence and
that they are ready to support AWS customers deploy solutions onto ECS.

Technical Enablement Resources


 Amazon Elastic Container Service Documentation

Good Example Response


Our IoT workload makes use of a container architecture to enhance agility and facilitate
scalability driven by Amazon ECS. These IoT devices send con nuous streaming data that is
processed using ECS. There are 3 data flows handled by the architecture. All the 3 data flows
are handled by AWS ECS, and we are not using any Amazon EC2. Please see a ached
architecture diagram and design document lis ng out the specific components.

Unacceptable Response
 Incomplete list of workloads.
 Missing command output.
ECS-002: Automated and Reliable Infrastructure and
Workloads Deployment
Requirement
Changes to the infrastructure and workloads are automated using infrastructure as code
tooling such as AWS CloudFormation, AWS CDK, or other third-party infrastructure as code
tooling. These technical artifacts (both infrastructure and workload) must be version
controlled and stored in a source repository such as GitHub. The tool being used must have
rollback procedures in place in case of failure. *Changes to production clusters/environment
cannot be managed/conducted through the AWS management console.

Please provide the following as evidence:

 Infrastructure as code tooling used to manage infrastructure


 Description of the tools used for automated deployment
 Description of deployment process and rollback procedures
 Description of source repository that stores infrastructure and task definition files in
source control
 Version control system used to manage technical artifacts
 Description of CI/CD tooling to automate updates to underlying workloads

Criteria for Passing


Requirement has sufficient context.

Why is this important


Automated and reliable deployment processes reduce errors, enhance efficiency, and ensure
consistent environments across deployments.

Technical Enablement Resources


 AWS CloudFormation Documentation
 AWS CDK Documentation
 GitHub Documentation

Good Example Response


Our solu on u lizes AWS CloudForma on to provision and maintain infrastructure through a
CI/CD pipeline. CloudForma on already supports rollback triggers during stack crea on or
update. We use GitHub as our source repository and it’s used as a version control system
managing all technical ar facts. Please see a ached CI/CD design document for further
details.

Unacceptable Response
 Vague descriptions or lack of evidence of automation and version control.
ECS-003: Singular Business Purpose for ECS Task
Defini ons
Requirement
In the context of Amazon Elastic Container Service (ECS), a singular business purpose task
is a task that runs a single application process in a container image. This approach is
considered best practice when deploying containers on ECS because it ensures that each
container image is focused on a single, well-defined function. Having a single purpose for
each container makes it easier to manage and maintain the containers, as well as to scale and
update individual components. It also improves security by reducing the attack surface and
making it easier to apply security patches to specific components.

Please provide the following as evidence:

 Provide a list of created task definitions and description of their business functions.

Criteria for Passing


Please describe ECS components that do not have a singular business purpose. Why was the
decision made to build these components this way?

Why is this important


Ensuring each task serves a singular business purpose improves manageability, security, and
scalability.

Technical Enablement Resources


 AWS ECS Task Definitions Documentation

Good Example Response


The solu on deployed relies on 3 ECS containers for service order processing. The use case
was to extend the on-premise environment to AWS using ECS Anywhere. On-prem we use
ECS to run a container only responsible for service order collec on. This container publishes
service orders to an SQS queue in AWS. The VPC contains two AZs which have redundant ECS
clusters running. In each cluster we have an ECS service order API and ECS service web UI. All
ECS containers run a separate business func on.

Unacceptable Response
 Tasks performing multiple unrelated functions or vague descriptions.
ECS-004: Tagging Strategy and Amazon ECS Managed
Tags and Tag Propaga on
Requirement
To ensure that application versions are tagged appropriately and Amazon ECS Managed Tags
and Tag Propagation are enabled, the following practices should be followed:

 There should be a one-to-one mapping between a version of application code, a


container image tag, and a task definition revision. As part of the release process, a git
commit should be turned into a container image that has its own associated git commit
SHA. That container image tag should then get its own Amazon ECS task definition
update.
 Amazon ECS Managed Tags and Tag Propagation should be enabled to attach and
propagate tags on the tasks that the service launches. This is useful for usage and
billing reports and can provide insight into resource usage.
 The tag dimensions should accurately represent how tasks are launched within an
Amazon ECS cluster. Example dimensions can include environment=production or
application=storefront.

Please provide the following as evidence:

 Description of tagging strategy used by the partner to ensure application versions are
tagged appropriately based on running task definitions
 Description of tag dimensions that accurately represent how tasks are launched within
an Amazon ECS cluster
 Example of tag dimensions being used within and/or across Amazon ECS clusters that
demonstrate that tasks are being mapped to singular business processes.

Criteria for Passing


Requirement contains sufficient context.

Why is this important


You can use tags to categorize your Amazon ECS resources in different ways, for example, by
purpose, owner, or environment. This is useful when you have many resources of the same
type. You can quickly iden fy a specific resource based on the tags that you assigned to it.

Technical Enablement Resources


 AWS Tagging Best Practices
 AWS ECS Managed Tags Documentation

Good Example Response


Tagging policy is enforced through our CI/CD pipeline enabled through ECS managed tags
and tag propaga on. All newly launched tasks are automa cally with cluster informa on and
several service tags. These service tags enable our solu on to provide visibility into what
each ECS task is doing. For example, here are a few of the tags currently in use, tag1=x,
tag2=y, tag3=z, etc. Please see a ached documenta on for a full list of all tags in use.

Unacceptable Response
 Lack of clear tagging strategy or examples.

ECS-005: IAM Roles for Task Defini on Families


Requirement
Task definition families should have their own associated IAM roles to limit how much
access each service has to resources within a partners AWS accounts

Please provide the following as evidence:

 ARN of task definition files from the case studies provided that shows that the IAM
role attached are scoped down by the principles of least privilege

Criteria for Passing


Requirement has sufficient context.

Why is this important


Using scoped IAM roles enhances security by ensuring least privilege access.

Technical Enablement Resources


 AWS IAM Roles Documentation

Good Example Response


ECS tasks belonging to the same group are associated with their own IAM policy. Please see
the attached document for the ARNs for ECS tasks in this system.

Unacceptable Response
Task definitions lacking proper IAM role configurations.
ECS-006: Determining Amazon ECS Task Sizes
Requirement
Task definitions need to be appropriately sized based on application requirements for tasks
running in an Amazon ECS cluster to be able to scale properly and for capacity planning
purposes.

Please provide the following as evidence:

 Description of resource reservation and limits for running tasks within partners
Amazon ECS cluster
 Example task definition file that demonstrates proper usage of resource reservations
and limits

Criteria for Passing


Discuss how ECS task sizing is determined. For example, are resource u liza on metrics
gathered through CloudWatch taken to analyze what size each task should take on?

Why is this important


Proper task sizing ensures efficient resource utilization, scaling and cost.

Technical Enablement Resources


 Best practices for Amazon ECS task sizes

Good Example Response


ECS task sizing is based on customer requirements around customer subscriber base and
projected growth. Our solu on also contains a resource op mizer that analyzes resource
u liza on both CPU and Memory to determine op mize ECS task sizing. This is done by
determining u liza on throughout a business cycle and sizing to the 90th percen le. HPA is
enabled which allows for scaling horizontally if demand grows beyond the configured sizes.

Unacceptable Response
 Vague or incomplete descriptions of task sizes and resource settings.
ECS-007: Strategy for Addressing Cluster Capacity
Requirement
Amazon ECS Capacity Providers allow for Amazon ECS clusters to scale your clusters up
and down for you. The three different capacity providers available include the at least one of
the following: 1) Amazon EC2, 2) Fargate, and 3) Fargate Spot. The recommended approach
for scaling clusters is to leverage capacity providers and to not scale clusters manually.

Please provide the following as evidence:

 Description of how the partner has configured Amazon ECS capacity providers to
address scaling events within their Amazon ECS clusters

Criteria for Passing


 Description of capacity provider configurations. Specify target percentage and why it
was selected.

Why is this important


Proper capacity management ensures efficient and scalable cluster operations.

Technical Enablement Resources


 AWS ECS Capacity Providers Documentation

Good Example Response


We are using Amazon ECS to manage the scaling of Amazon EC2 instances registered to our
cluster. The feature is called Amazon ECS cluster auto scaling. We set the target percentage
to 65% (in alignment with customer requirements). The minimum and maximum capacity of
the cluster group is set to 2 and 8, respectively. ECS has created cloudwatch metrics that it
monitors for alarms to scale in and scale out the cluster.

Unacceptable Response
 Lack of proper configuration descriptions.
ECS-008: Strategy for Leveraging Amazon EC2 Spot and
Fargate Spot
Requirement
Spot capacity is appropriate for batch processing, machine-learning workloads, and
dev/staging environments where temporary downtime is acceptable. During high demand, the
unavailability of Spot capacity can cause delays in Fargate Spot tasks and EC2 Spot instance
launches. However, ECS services and EC2 Auto Scaling groups will retry launches until the
required capacity is available. Spot capacity will not be replaced with on-demand capacity.
When overall demand increases, instances and tasks may be terminated with a two-minute
warning, and tasks should start an orderly shutdown to minimize errors. To minimize Spot
shortages, partners should utilize capacity across multiple regions and availability zones,
leverage multiple EC2 instance types in autoscaling groups, and use a capacity-optimized
Spot allocation strategy

Please provide the following as evidence: Note : Please note that the AWS CLI command
below should be run prior to completing the self-assessment

 Description of the strategy used to minimize Spot capacity shortages when utilizing
EC2 Spot Instances and Fargate Spot.
 Output of "aws ecs describe-capacity-providers —region $region".
 Output of "aws ec2 describe-spot-fleet-requests —region $region".

Criteria for Passing


Sufficient context exists in the requirement.

Why is this important


With Spot Instances, you can use spare Amazon EC2 compu ng capacity at discounts of up
to 90% compared to On-Demand pricing. That means you can significantly reduce the cost of
running your applica ons, or grow your applica on’s compute capacity and throughput for
the same budget. The only difference between On-Demand Instances and Spot Instances is
that Spot Instances can be interrupted by EC2 with two minutes of no fica on when EC2
needs the capacity back.

Technical Enablement Resources


 AWS Spot Instances Documentation
 Powering your Amazon ECS Cluster with Amazon EC2 Spot Instances

Good Example Response


Our solu on is designed to leverage capacity across mul ple regions and AZs with varying
EC2 instance types for our autoscaling configura on. We u lize a capacity-op mized spot
alloca on strategy which allows us to request spot instances from the pools that have the
lowest chance of interrup on. Our fleet op mizes for capacity first, but honors instance type
priori es on a best-effort basis. Please see the a ached document for the output of ‘aws ecs
describe-capacity-providers’ and ‘aws ec2 describe-spot-fleet-requests’.

Unacceptable Response
 Missing command outputs or vague descriptions.

ECS-009: Managing Mul ple Amazon ECS Clusters


Requirement
Partners that spread their workloads across multiple Amazon ECS clusters must have a
uniform and consistent method for provisioning of container-related infrastructure, and
management of workloads across multiple clusters. Use cases for having multiple Amazon
ECS clusters include the following as examples:

 Resource isolation: You might want to create separate Amazon ECS clusters for
different applications or environments, to isolate their resources and prevent potential
interference between them.
 Different deployment pipelines: If you have multiple applications with different
deployment pipelines, you can create separate Amazon ECS clusters for each
application to manage their deployments independently.
 Different scaling requirements: If you have different applications with varying
resource utilization patterns, you can create separate Amazon ECS clusters for each
application to optimize their scaling and cost.
 Different security requirements: If you have different applications with different
security requirements, you can create separate Amazon ECS clusters for each
application to manage their security independently.
 Different network requirements: If you have different applications with different
network requirements, you can create separate Amazon ECS clusters for each
application to manage their network resources independently.

Please provide the following as evidence for multi-cluster workloads:

 Description of IaC tool being used to define and deploy Amazon ECS clusters.
Partners may also provide sample templates that cover how container related
infrastructure is being deployed and managed.
 Description of the tool being used for multi-cluster management.
 If Amazon ECS clusters and their respective workloads are being deployed on-prem
using ECS-A, hybrid scenarios, please provide justification for doing so.
 If multiple AWS accounts are being used, please provide description that details how
AWS accounts are mapped per cluster/workload and the purpose for each cluster
being defined. Example would be a scenario in which an AWS account is being used
as the “management” or “control” plane that is then used to deploy Amazon ECS
clusters to target AWS accounts.

Criteria for Passing


Sufficient context in requirement.
Why is this important
There are various reasons to manage multiple ECS clusters such as; 1) Resource Isolation 2)
Different deployment pipelines 3) Different scaling requirements 4) Different security
requirements 5) Different network requirements.

Technical Enablement Resources


 Cluster Management with Amazon ECS
 Amazon ECS Clusters

Good Example Response


We use AWS CloudFormation to deploy ECS clusters. Please see attached the CFT template
that describes the infrastructure allocation. We deploy multiple clusters within a single
account separated using VPCs. One cluster is being used for management and other clusters
are worker nodes. The architecture is described in the attached design document.

Unacceptable Response
 Lack of detailed descriptions or justifications.

ECS-010: Image Scanning Tool for Security


Requirement
Any image that is being used within the cluster must be stored in an image repository such as
Amazon ECR and must go through a security scan to ensure that there are no security
vulnerabilities. The partner should also have a process in place where images are regularly
scanned for vulnerabilities.

Please provide the following as evidence:

 Description of image repository being used for submitted case studies


 Description of the tool and configuration used to protect running containers within the
cluster. If ECR is being used, task definitions should demonstrate the proper
configurations:
o Amazon ECR repository policies allow Amazon ECS tasks to pull container
images
o Image versions in ECR should match versions specified in task definition files
 Partner should have monitoring/observability mechanism/tooling to monitor usage of
ECR repository to ensure that expected container images are being pulled and stored
in Amazon ECR

Criteria for Passing


 Description of image repository.
 Description of image scanning tool and configurations.
 Evidence of ECR repository policies and monitoring mechanisms.

Why is this important


Image scanning ensures container security by identifying vulnerabilities.

Technical Enablement Resources


 AWS ECR Documentation
 AWS Image Scanning Documentation

Good Example Response


ECR is being used as the image repository with ECR imaging scanning as the primary tool to
identify software vulnerabilities in our container images. We have enabled enhanced
scanning which utilizes Amazon Inspector for continuous scanning of our repo. Both OS and
language level is scanned. Amazon EventBridge is setup to provide notifications on scans and
results. Please see attached task definition file for the associated configuration.

Unacceptable Response
 Lack of detailed descriptions or evidence of image scanning.

ECS-011: Run me Security Tool for Containerized


Workloads
Requirement
The workloads running inside a cluster must have active protection for any containerized
workload that is actively running inside the cluster that includes preventing malicious syscalls
being made to the underlying host operating system. Restricting what syscalls can be made
from inside the container can help aid in reducing the applications attack surface. Note that
runtime security configurations is different between Windows and Linux Containers

Please provide the following as evidence:

 Amazon ECS cluster has a tool or configuration in place to protect running containers
from malicious syscalls being made to the underlying host operating system.
 The specific tool or configuration used for protection provides evidence that it is
actively protecting running containers
 If open-source tooling/third party tooling is being used, provide description of the
specific tool and security modules/configurations added
 If Windows containers are being used, the robust security boundary within the
Windows environment and the tool used to assess running Windows containers
Criteria for Passing
 Description of security tool or configuration.
 Evidence of active protection for running containers.

Why is this important


Runtime security reduces the risk of malicious activities within containers.

Technical Enablement Resources


 AWS ECS Security Best Practices

Good Example Response


Solution is deployed using linux containers and we routinely scan workloads to identify
whether certain linux capabilities exists which shouldn’t. For example, we remove,
CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, etc. Containers are never run-in
privileged mode. We also enable Amazon Guard Duty for runtime protection of the
containers and the underlying OS. Please see the attached screenshot of the security
configuration.

Unacceptable Response
 Lack of evidence of runtime security measures.

ECS-012: Use of Op mized Opera ng Systems


Requirement
Partner should be leveraging Amazon ECS optimized AMI’s that are optimized for
containerized workloads to ensure that customer workloads are protected. At least one of the
customer example workloads is implemented on one of the operating systems listed below.
Other operating systems may be considered given that the partner provides justification for
using such operating system with their Amazon ECS cluster.

 Amazon Linux
 Ubuntu Linux
 Bottlerocket OS
 Windows

Please provide the following as evidence:

 Operating system being used as part of the implementation. If a different operating


system was implemented outside of the ones listed above, please provide the name of
the distribution being used along with the use case
 If partner is not using Amazon ECS optimized AMIs, please provide justification as to
why

Criteria for Passing


 Description of the operating system used.
 Justification for non-ECS optimized AMIs, if applicable.

Why is this important


Using optimized OS ensures efficient and secure container operations.

Technical Enablement Resources


 AWS ECS Optimized AMIs Documentation

Good Example Response


All containers are deployed using Amazon Linux containers. Please see attached task
definitions for details.

Unacceptable Response
 Lack of detailed descriptions or justifications.

ECS-013: Addressing Compliance Standards


Requirement
Partners that are working with customers in which the underlying workloads must adhere to
compliance standards and frameworks carry the compliance responsibility of ensuring that
the sensitivity of customer data, customers compliance objectives, and applicable laws and
regulations are addressed based on the specific compliance standard the customer needs to
adhere to. Note that if the customer references do not require to adhere to regulatory or
compliance standards, the partner may answer with N/A.

Please provide the following as evidence:

 Description of internal processes and tooling used to address customer workloads that
must adhere to regulatory compliance standards
 Description of operational run books that is passed off to the customer after the
workload has been implemented that outlines the regulatory compliance guidelines
needed to address third-party audits

Criteria for Passing


Sufficient context already provided in requirement.
Why is this important
AWS serves a variety of customers, including those in regulated industries. Through our
shared responsibility model, we enable customers to manage risk effec vely and efficiently
in the IT environment, and provide assurance of effec ve risk management through our
compliance with established, widely recognized, frameworks, and programs. This
requirement helps to understand whether the partner is able to implement the customer
components of the shared responsibility model.

Technical Enablement Resources


 AWS Compliance Documentation

Good Example Response


Customer is not subject to any regulatory requirements as such we are responding with N/A.

Unacceptable Response
Lack of detailed descriptions or evidence of compliance measures in the case where customer
is subject to regulatory requirements.

ECS-014: Best Prac ces for ECS Anywhere


Requirement
Amazon ECS capacity being deployed on-prem or at different edge locations must follow the
best practices for leveraging ECS-A which can be found here
(https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-anywhere.html).

Partners that are leveraging ECS-A for deploying capacity on-prem or at various edge
locations must provide the following as evidence

 Description and/or guidance given to customers that demonstrates the ability to


deploy ECS-Anywhere capacity across different environments outside of AWS.
 Description and/or guidance given to customers that demonstrates the ability to
provision ECS-A capacity at different edge locations. AWS Outposts is considered a
valid edge location.

Criteria for Passing


Sufficient context provided in requirement.

Why is this important


Amazon ECS Anywhere provides support for registering an external instance such as an on-
premises server or virtual machine (VM), to your Amazon ECS cluster. External instances are
op mized for running applica ons that generate outbound traffic or process data. This
requirement ensures best practices for ECS-Anywhere deployments are being followed.
Technical Enablement Resources
 AWS ECS Anywhere Documentation

Good Example Response


Solu on deployed does not leverage ECS-A, instead all ECS clusters and running workloads
are within the AWS DC.

Unacceptable Response
 Lack of detailed descriptions or guidance.

ECS-015: Ingress Control for Network Traffic


Requirement
Partner should have a strategy around how to control network traffic that is going into the
tasks to securely allow traffic into the tasks. This includes specifying the ingress controller of
choice and specifying a set of rules to configure ingress traffic. All layer 7 traffic must be
secured with TLS or mTLS.

Please provide the following as evidence:

 Description of the ingress controller and infrastructure like: VPCs, NAT Gateways,
Subnets, and ENIs and their configurations. Partners may also provide screenshot or
pseudo-code that describes how the ingress method of choice is configured to securely
allow traffic into the tasks.
 Description of network modes and load balancing systems and their associated
configurations; along with elaborations on why certain strategies were used.

Criteria for Passing


Sufficient context in requirement.

Why is this important


An ingress controller is responsible for reading the ingress resource information and
processing it appropriately. As there are different ingress controllers that can do this job, it’s
important to choose the right one for the type of traffic and load coming into your ECS
cluster. This control ensures partners have put sufficient thought into their choice of
controller and have properly set up rules to configure ingress traffic securely and efficiently.

Technical Enablement Resources


 AWS ECS Networking Documentation
Good Example Response
Our solution leverages a single instance of a Network Load Balancer to route traffic to a set
of Amazon ECS clusters. AWS Cloud MAP is used in conjunction with AWS Lambda to
discover services deployed under Amazon ECS and nan instance of NGINX service acts as
an “ingress controller,” performing Layer 7 routing of requests to the backend services.

1. A Network Load Balancer with a TCP listener that is associated with a single target
group. This target group is configured to register its targets using IP mode and
perform health checks on its targets using HTTP protocol.
2. An NGINX service deployed under Amazon ECS which registers its tasks with the
aforemen oned target group. NGINX performs the role of a reverse-proxy –
forwarding requests to other backend services – also deployed under Amazon ECS
within the same VPC.
3. A set of backend of services deployed under Amazon ECS, which have registered
themselves with an AWS Cloud Map service registry and, therefore, can be reached
from the NGINX service using their private DNS names.
4. An AWS Lambda func on that is triggered on a schedule in Amazon EventBridge. It
discovers backend services registered under service registries in AWS Cloud Map and
then updates proxy configura ons for the NGINX service.

Unacceptable Response
 Lack of detailed descriptions or configurations.

ECS-016: Addressing IP Exhaus on


Requirement
Partners deploying Tasks to Amazon ECS need to adhere to the potential networking
concerns around IP exhaustion within the VPC that the tasks are being deployed to. There are
a variety of mechanisms to address IP exhaustion with various systems available within
Amazon ECS. Note that if auto-scaling groups or managed node groups are being used then
this does not apply to Fargate use cases.

Please provide the following as evidence:

 Descrip on on strategy about how to address IP exhaus on within the VPC that the
ECS Tasks are being deployed to such as, Mul ple subnets, custom ENI configura ons
with Trunking, changing task density based on official documenta on found here:
AWS ECS Documenta on for IP Exhaus on

Criteria for Passing


Guidance given to customers on how to address IP exhaustion within the VPC that the cluster
is being deployed to which is creating secondary CIDRs and custom VPC CNI configuration
based on AWS official documentation.
Why is this important
IP exhaustion is a common issue for AWS ECS clusters, and customers have had problems
maintaining network topology because of constant growth and increased workloads. They can
quickly run out of IP space while planning out the VPC CIDR. Utilizing CNI custom
networks or unique networks for nodes and pods are two possible routes to addressing this
issue.

Technical Enablement Resources


 Amazon ECS Task Networking Op ons

Good Example Response


Customer networking team has requested IPv6 pods. VPC CNI assigns IPv6 addresses to
pods from the AWS managed VPC IPv6 CIDR range. See the a ached document describing
the network architecture.

Unacceptable Response
Partner has no mechanism in place to address potential IP exhaustion, and the solution is at
risk of losing network topology fidelity.

ECS-017: Facilita ng Communica on


Requirement
Partners deploying tasks to Amazon ECS need to consider the collection of customer tasks
and ensure communication between them is facilitated without traversing external load
balancers. There are a variety of mechanisms to permit communication within ECS, with
AWS services and with other external systems.

Please provide the following as evidence:

 Descrip on of networking choices made to connect to AWS Services, to customer


services, to external systems such as, service mesh (ECS Service Connect or
AppMesh), internal load balancers, integra on with API gateway, etc based on official
documenta on found here: AWS ECS Documenta on for connec vity

Criteria for Passing


 Description of networking choices and configurations.

Why is this important


Efficient communication improves service integration and performance.

Technical Enablement Resources


 AWS ECS Connectivity Documentation
Good Example Response
Our solution leverages a single instance of a Network Load Balancer to route traffic to a set
of Amazon ECS clusters. AWS Cloud MAP is used in conjunction with AWS Lambda to
discover services deployed under Amazon ECS and nan instance of NGINX service acts as
an “ingress controller,” performing Layer 7 routing of requests to the backend services.

1. A Network Load Balancer with a TCP listener that is associated with a single target
group. This target group is configured to register its targets using IP mode and
perform health checks on its targets using HTTP protocol.
2. An NGINX service deployed under Amazon ECS which registers its tasks with the
aforemen oned target group. NGINX performs the role of a reverse-proxy –
forwarding requests to other backend services – also deployed under Amazon ECS
within the same VPC.
3. A set of backend of services deployed under Amazon ECS, which have registered
themselves with an AWS Cloud Map service registry and, therefore, can be reached
from the NGINX service using their private DNS names.
4. An AWS Lambda func on that is triggered on a schedule in Amazon EventBridge. It
discovers backend services registered under service registries in AWS Cloud Map and
then updates proxy configura ons for the NGINX service.

Unacceptable Response
 Lack of detailed descriptions or configurations.

ECS-018: Observability Mechanisms


Requirement
Partner must have proper observability mechanisms in place that address logging, metrics,
and tracing with ability to drill down to the individual app/container level:

1. Ability to collect and filter metrics at both the application/container layer and the
infrastructure layer.
2. Ability to capture metrics and logs during service-level scaling event
3. Ability to support monitoring of several environments - environments that span
multiple AWS Regions, accounts, and/or hybrid (ECS & ECS Anywhere, if
applicable)
4. Ability to support distributed tracing to analyze and debug applications running
within an Amazon ECS cluster

Please provide the following as evidence:

 Description of observability mechanism that addresses the above.


Persistent Storage: Partner should follow the best practices for persistent storage use to
maintain reliability, availability and performance of the customer applications deployed
within Amazon ECS

Criteria for Passing


 Description of observability mechanisms.

Why is this important


Observability is a key pillar when it comes to developing well-architected solutions on AWS
(in this case ECS). Without the proper observability tooling/mechanisms in place, the partner
and their prospective customers have no way to understand if the solution being implemented
is operating effectively and efficiently.

Technical Enablement Resources


The more common approaches is to include 3rd party ISV solutions such as Datadog, New
Relic, Dynatrace, or Splunk as examples. The other options would be to take an AWS native
approach leveraging things like CloudWatch, CloudWatch Container Insights, Amazon
Managed Prometheus and Grafana.
 h ps://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-logging-
monitoring.html
 h ps://aws.amazon.com/blogs/opensource/simplifying-amazon-ecs-monitoring-set-
up-with-aws-distro-for-opentelemetry/

Good Example Response


Solution implements Prometheus as the monitoring mechanism for cluster and application-
level visibility. Metrics are collected and stored in time series data, i.e metrics informa on is
stored with the mestamp at which it was recorded, alongside op onal key-value pairs
called labels. We monitor performance to con nuously op mize resources in the
environment. Please see the a ached monitoring design document to see how metrics for
the 10 components highlighted in the requirement are captured.

Unacceptable Response
A partner that simply states “we are using Datadog” as an example is not an acceptable
response. All topics defined above must be addressed in their response of the response itself
or we will mark this particular control as a fail.

ECS-019: Selec ng Storage Op ons


Requirement
Partner must determine the storage needs of the ECS tasks and provision the appropriate type
of storage for the containers. Best-practice matching use cases for storage each type include:

 EFS for Linux containers on Fargate or EC2 with concurrent access and horizontal
scalability requirements
 EBS for EC2 deployed transactional database applications with sub-millisecond
latency requirements, that do not require a shared file system when scaled
horizontally. (EBS is unavailable for Fargate deployments currently).
 External Database service integrations for workloads without ultra-low latency
requirements
 EBS for workloads that require high performance storage during their lifecycle but do
not require data persistence after task completion
 Docker Volumes plugin may be used for ECS tasks using the docker container
runtime provided they are hosted on an EC2 instance with an EBS volume available
to mount to, however use of this volume type may result in data loss if the instance is
stopped and the task is relocated
 FSx for Windows File Server for clusters that contain windows instances
 Other 3rd party plugins or integrations may be used depending on the specific
requirements for the workload and performance characteristics of the storage option
selected

Please Provide the following as evidence:

 Description of the workload and storage selected, required (or expected) performance
metrics needed and the reasoning for each storage/workload pairing

Criteria for Passing


Include what storage options were selected and performance metrics monitored. What was
the reasoning behind the storage/workload pairings?

Why is this important


Proper storage selection ensures performance and reliability.

Technical Enablement Resources


 AWS ECS Storage Options Documentation

Good Example Response


EBS volumes were paired with the tasks for this solution. These volumes provide cost-
effec ve, durable, high-performance block storage for data-intensive containerized
workloads. Our primary use cases were transac onal workloads such as databases, virtual
desktops and root volumes, and throughput intensive workloads such as log processing and
ETL workloads. We use datadog to monitor storage volume performance and rou nely
op mize where needed.

Unacceptable Response
We use EBS volumes.
ECS-020: EFS Mount Targets in Availability Zones
Requirement
For workloads that utilize EFS, an Amazon ECS task can only mount an Amazon EFS file
system if the Amazon EFS filesystem has a mount target in the Availability Zone the task
runs in. The Partner must ensure all Availability zones that will run tasks have a mount point
available so that storage is accessible throughout the cluster

Please provide the following as evidence:

 Confirmation of whether EFS was or was not used (If no EFS was used, this
requirement is N/A)
 A list of the Availability zones that are expected to run tasks, and confirmation that
access points have been made in each of these availability zones

Criteria for Passing


Sufficient context exists in the requirement.

Why is this important


Ensuring mount targets in all zones maintains storage accessibility.

Technical Enablement Resources


 AWS EFS Documentation

Good Example Response


Our solution does not leverage EFS and therefore not applicable.

Unacceptable Response
 Lack of confirmations or lists.

ECS-021: Securing Persistent Storage


Requirement
Access restrictions can be applied via several methods:

 Security Groups can be configured to permit and deny traffic to EFS mount targets on
port 2049 based upon the security group connected to the ECS instances, or when
using awsvpc network mode within the cluster at the ECS task level
 ECS tasks can be configured to require an IAM role for file system access when
mounting to the EFS file system. See Using IAM to control file system data access
(https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html) in the
Amazon Elastic File System User Guide.
 Amazon EFS access points are application-specific entry points into an Amazon EFS
file system. You can use access points to enforce a user identity, including the user's
POSIX groups, for all file system requests that are made through the access point.
Access points can also enforce a different root directory for the file system. This is so
that clients can only access data in the specified directory or its sub-directories.

Please Provide the following as evidence:

 Description of how access requirements were evaluated


 Description of the method chosen to secure access to only the entities requiring access
 Example configuration showing the access control in place (Security group
configuration, IAM role based EFS access setup, EFS Access point identity
requirements)

Criteria for Passing


Sufficient context exists in the requirement.

Why is this important


Securing storage access protects data integrity and security.

Technical Enablement Resources


 AWS EFS Security Documentation

Good Example Response


Our solution does not use EFS and therefore this is not applicable.

Unacceptable Response
 Lack of detailed descriptions or configurations.

ECS-022: Task Placement Constraints for EBS


Requirement
When using EBS to store data for tasks in Amazon EC2, it's recommended to use task
placement constraints to ensure that the task and its data are kept together. This is important
for applications that need to persist data after the task ends, like a MySQL database. For tasks
that don't need to persist data, task placement constraints are not necessary. For example, a
task that processes large amounts of data may need high performance storage, which EBS can
provide, but data persistence is not important.
Please provide the following as evidence:

 List of EBS volumes and tasks associated with each volume


 Task description for each workload using an EBS volume, and data persistency
requirements
 If the workload(s) required data to persist outside the task’s lifecycle, provide an
example of the task placement constraints that will ensure restarted tasks are placed
with the EBS volume they require

Criteria for Passing


 List of EBS volumes and associated tasks.
 Task descriptions and placement constraints.

Why is this important


Ensuring data access with placement constraints improves reliability.

Technical Enablement Resources


 AWS ECS Task Placement Documentation

Good Example Response


We use several EBS volumes for our workloads, outlined in the a ached doc (‘ebs_vol.xlsx’).
We use task placement to configure Amazon ECS to place your tasks on container instances
that meet certain criteria. All container nodes have EBS volumes, so our placement strategy
is even distribu on across the worker nodes. We have also grouped tasks together based on
business func on. A placement constraint exists to ensure data processing container only
lands on storage op mized instances.

Unacceptable Response
 Lack of detailed lists or descriptions.

ECS-023: Managing Mul -Tenant Workloads


Requirement
Partners that are implementing multi-tenant workloads on behalf of their customer must be
aware of the various levels of tenancy that can be achieved on Amazon ECS. “Soft” isolation
or multi-tenancy on Amazon ECS is the approach of leveraging task level resource quotas,
tenant specific IAM roles for ECS tasks, and namespaces in AWS Cloud Map to create
isolation boundaries between tasks within an Amazon ECS cluster.

Please provide the following as evidence:


 Task definition file used as part of the case study submitted that has resource quotas
defined in the task file
 IAM role that is used as part of the case study submitted to isolate tenants operating
within the same ECS cluster
 Namespace configuration defined for service discovery in AWS Cloud Map

Partners that need to adhere to highly-regulated industries or in SaaS environments where


strong isolation is required, the partner must demonstrate that they understand the drawbacks
of operating in an environment with strong multi-tenancy requirements. This typically
includes tenants having their own fully isolated ECS cluster along with tenants having their
own dedicated AWS account.

Please provide the following as evidence:

 Short description of the specific requirements set out by the client that constitutes
operating in an environment with hard multi-tenancy.
 Description of a Tenant Operator being used to manage tenants within a cluster.
 Tooling/ISV solution to help run/manage multiple virtualized clusters on a single
underlying cluster which allows for hard(er) multi-tenancy.
 Tooling/ISV solution to help run/manage multiple AWS accounts i.e AWS
Organizations

Criteria for Passing


 Task definition files with resource quotas.
 IAM roles for tenant isolation.
 Namespace configurations for service discovery.

Why is this important


Understanding the context behind why a certain tenancy model was selected gives insight
into the security and resource sharing perspective. i.e guarding against attacks such as data
exfiltration or DoS.

Technical Enablement Resources


 AWS ECS Multi-Tenancy Documentation

Good Example Response


Our solution does not require hard isolation and therefore soft multi-tenancy is leveraged sing
task level resource quotas, tenant specific IAM policies and namespaces in AWS Cloud
MAP. Please see the attached task configurations, IAM policies and screenshots for AWS
Cloud MAP configuration.

Unacceptable Response
 Lack of detailed definitions or configurations.
Resources
Visit AWS Service Delivery Program Guide to get overview of the program.
Explore AWS Service Delivery Benefits to understand AWS Service Delivery benefits.
Find Amazon ECS Service Delivery checklist.
Visit How to build a microsite to understand on building a Prac ce/solu on page
Check out How to build an architecture diagram to build an architecture diagrams.
Learn about Well Architected Framework on Well Architected Website

No ces
Partners are responsible for making their own independent assessment of the
informa on in this document. This document: (a) is for informa onal purposes only,
(b) represents current AWS product offerings and prac ces, which are subject to
change without no ce, and (c) does not create any commitments or assurances from
AWS and its affiliates, suppliers or licensors. AWS products or services are provided
“as is” without warran es, representa ons, or condi ons of any kind, whether express
or implied. The responsibili es and liabili es of AWS to its customers and partners are
controlled by AWS agreements, and this document is not part of, nor does it modify,
any agreement between AWS and its customers/partners.

You might also like