If you are using Amazon ECS in your AWS environment, it is important that you ensure it meets your security requirements. A task definition is required to run Docker containers in Amazon ECS. Some of the parameters you can specify in a task definition include:
1. The Docker images to use with the containers in your task
2. How much CPU and memory to use with each container
3. Any data volumes that should be used with the containers in the task
With ECS task support in Compliance Engine, you can now reason about container metadata.
Below are a few queries that you could to analyze your ECS Tasks in your infrastructure:
1. query on the container status:
EcsTask should not have healthStatus = ‘UNKNOWN’
EcsTask should not have healthStatus = 'UNKNOWN'
2. Query on container metadata
EcsTask should not have containers contain [ name = 'myapp']
For more information, check out the Amazon ECS documentation and Dome9 Helpcenter