aws.ecs-task

Filters

config-compliance

event

finding

list-item

marked-for-op

network-location

ops-item

reduce

security-group

subnet

taggable

task-definition

value

taggable

Filter ECS resources on arn-format https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-resource-ids.html :example:

policies:
    - name: taggable
      resource: ecs-service
      filters:
        - type: taggable
          state: True

Permissions - ecs:ListTasks

task-definition

Filter tasks by their task definition.

Example:: Find any fargate tasks that are running without read only root and stop them.

policies:
  - name: fargate-readonly-tasks
    resource: ecs-task
    filters:
      - launchType: FARGATE
      - type: task-definition
        key: "containerDefinitions[].readonlyRootFilesystem"
        value: None
        value_type: swap
        op: contains
    actions:
      - type: stop

Permissions - ecs:DescribeTaskDefinition, ecs:ListTaskDefinitions

Actions

auto-tag-user

copy-related-tag

invoke-lambda

invoke-sfn

mark-for-op

notify

post-finding

post-item

put-metric

remove-tag

stop

tag

webhook

stop

Stop/Delete a currently running task.

Permissions - ecs:StopTask