Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | ECS doesn't directly use API keys; it relies on IAM roles and policies for authentication and authorization. | Relies on IAM for authentication and authorization. |
| Authentication & Authorization | IAM Integration | True | Amazon ECS tightly integrates with AWS Identity and Access Management (IAM), enabling granular control over access to ECS resources through roles and policies. | |
| Authentication & Authorization | MFA | True | AWS IAM supports MFA for users and administrators accessing ECS through the AWS console or CLI. Enforcement is the responsibility of the organization. | |
| Authentication & Authorization | Service Account Support | True | IAM roles act as service accounts, allowing ECS tasks and services to access other AWS resources with least privilege. | |
| Authentication & Authorization | Standard Protocols | True | Amazon ECS primarily uses AWS's own authentication mechanisms, but integrates with other services that support OAuth 2.0 and similar standards for authorization. | |
| Compliance & Certifications | Compliance Documentation | True | AWS provides comprehensive compliance documentation on its website. | |
| Compliance & Certifications | Industry Certifications | True | AWS is certified for many compliance frameworks, including ISO 27001, SOC 2, and others. Compliance of applications running on ECS is dependent on proper configuration and management by the user. | Compliance depends on proper configuration and use. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking/redaction is not a feature of ECS itself; it must be implemented within the applications running inside the containers. | Requires implementation within the application. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | ECS doesn't have built-in DLP capabilities. Integration with other AWS services like Macie would be necessary to scan for sensitive data. | Requires integration with other AWS services. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data transfer between regions is controlled through VPC peering, transit gateways, or other networking configurations. ECS itself does not inherently restrict data flow; it's managed at the infrastructure and application level. | Requires configuration and management of underlying services. |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides tools and documentation to track and verify data locations within specific AWS regions. While not always precise to the container level, it's possible to determine the region where ECS tasks are running and data is stored through its various services like S3, EFS etc. | |
| Data Residency & Sovereignty | Region Selection | True | Amazon ECS allows you to deploy and manage containers in various AWS regions globally, enabling you to meet data residency requirements by selecting appropriate regions. | |
| Encryption | Encryption at Rest | True | Encryption at rest depends on the storage services used by the ECS tasks. AWS offers various options for encrypting data stored in EBS volumes, S3 buckets, and other data stores integrated with ECS. This involves configuring customer managed keys (CMKs) or leveraging AWS managed keys. | Requires configuration of underlying storage services. |
| Encryption | Encryption in Transit | True | Amazon ECS utilizes HTTPS for communication between components. TLS 1.2+ is generally in use, though specific cipher suite configuration may depend on the client and other network settings. It is the responsibility of the user to manage and enforce security policies and configurations. | |
| Logging & Monitoring | Access Logging | True | Access logs are not automatically generated by ECS, but must be explicitly configured within the applications and services running in containers. | Requires configuration of logging within the ECS task. |
| Logging & Monitoring | Audit Logging | True | AWS CloudTrail provides audit logging for API calls related to ECS management. | Requires configuration of CloudTrail. |
| Logging & Monitoring | Log Retention | True | Log retention policies are configurable within CloudWatch Logs for logs related to ECS. | Requires configuration of CloudWatch Logs. |
| Logging & Monitoring | Monitoring & Alerting | True | Amazon CloudWatch provides metrics and monitoring capabilities that can be integrated with ECS to create alerts and monitor the health and performance of ECS clusters and tasks. | Requires configuration of CloudWatch. |
| Network Security | API Gateway Integration | True | While not directly integrated, API Gateway can be used to manage and secure traffic to applications running in ECS. | Requires separate configuration. |
| Network Security | DDoS Protection | True | AWS Shield and other AWS services provide protection against DDoS attacks; integrating these protections with ECS deployments is necessary. | Requires configuration of AWS Shield or other services. |
| Network Security | Firewall Rules | True | Security groups and Network ACLs within the VPC are used to control ingress and egress traffic to and from ECS resources. | Requires configuration of security groups and network ACLs. |
| Network Security | Private Access | True | Amazon ECS supports deploying containers within a VPC, enabling private networking and access control through security groups and network ACLs. | |
| Secure Development Lifecycle (SDL) | API Design Principles | False | ECS itself doesn't define API design principles. Secure coding practices are the responsibility of application developers. | Depends on application design. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | False | Code review and testing are the responsibility of the developers creating applications that run on ECS; ECS doesn't inherently provide these features. | Responsibility lies with the developers of containerized applications. |
| Vulnerability Management & Patching | Security Updates | True | AWS regularly updates its underlying infrastructure, but it is up to users to manage security updates for container images and applications running within ECS. | Responsibility lies with the user for container images and underlying infrastructure. |
| Vulnerability Management & Patching | Vulnerability Scanning | False | ECS doesn't provide built-in vulnerability scanning. Third-party tools and services would need to be integrated to perform vulnerability scans on container images and running applications. | Requires integration with third-party tools. |