Remediation

Enable Logging for ECS Task Definitions

Using the AWS CLI

Retrieve the existing task definition

aws ecs describe-task-definition \
    --task-definition {{family-or-full-arn}} \
    --query 'taskDefinition' > task-def.json

Edit task-def.json

Add a logConfiguration object to each container definition.

"containerDefinitions": [
    {
        "name": "{{my-app}}",
        "image": "{{my-image}}",
        "logConfiguration": {
            "logDriver": "{{awslogs}}",
            "options": {
                "awslogs-group": "{{/ecs/my-app-logs}}",
                "awslogs-region": "{{us-east-1}}",
                "awslogs-stream-prefix": "{{ecs}}"
            }
        },
        ...
    }
]

Note: Ensure that the Task Execution Role (executionRoleArn) has the following permissions:

logs:CreateLogStream
logs:PutLogEvents

Register the updated task definition

aws ecs register-task-definition --cli-input-json file://task-def.json

Update your ECS service to use the new task definition revision

Enable Logging for ECS Task Definitions​

Using the AWS CLI​

Enable Logging for ECS Task Definitions

Using the AWS CLI