steampipe plugin install aws

Table: aws_ecs_task_definition - Query AWS ECS Task Definitions using SQL

The AWS ECS Task Definition is a blueprint that describes how a Docker container should launch. It specifies the Docker image to use for the container, the required resources, and other configurations. Task Definitions are used in conjunction with the Amazon Elastic Container Service (ECS) to run containers reliably on AWS.

Table Usage Guide

The aws_ecs_task_definition table in Steampipe provides you with information about the task definitions within AWS Elastic Container Service (ECS). This table allows you, as a DevOps engineer, to query task-specific details, including the task definition ARN, family, network mode, revision, and status. You can utilize this table to gather insights on task definitions, such as their configuration, associated IAM roles, container definitions, volumes, and more. The schema outlines the various attributes of the ECS task definition for you, including the task definition ARN, family, requires compatibility, and associated tags.

Examples

Basic info

Explore the configuration and status of task definitions in AWS ECS to understand their processing power and network configuration. This can be useful for optimizing resource allocation and network settings for better system performance.

select
task_definition_arn,
cpu,
network_mode,
title,
status,
tags
from
aws_ecs_task_definition;
select
task_definition_arn,
cpu,
network_mode,
title,
status,
tags
from
aws_ecs_task_definition;

Count the number of containers attached to each task definitions

Explore the distribution of containers across various task definitions to better manage and optimize the use of resources in an AWS ECS environment.

select
task_definition_arn,
jsonb_array_length(container_definitions) as num_of_conatiners
from
aws_ecs_task_definition;
select
task_definition_arn,
json_array_length(container_definitions) as num_of_conatiners
from
aws_ecs_task_definition;

List containers with elevated privileges on the host container instance

Determine the areas in which containers are operating with elevated privileges within your host container instance. This is useful to identify potential security risks and ensure secure configuration of your container infrastructure.

select
task_definition_arn,
cd ->> 'Privileged' as privileged,
cd ->> 'Name' as container_name
from
aws_ecs_task_definition,
jsonb_array_elements(container_definitions) as cd
where
cd ->> 'Privileged' = 'true';
select
task_definition_arn,
json_extract(cd.value, '$.Privileged') as privileged,
json_extract(cd.value, '$.Name') as container_name
from
aws_ecs_task_definition,
json_each(container_definitions) as cd
where
json_extract(cd.value, '$.Privileged') = 'true';

List task definitions with containers where logging is disabled

This query is useful in identifying all task definitions with containers where logging has been disabled in the AWS ECS system. This can aid in improving security and compliance by enabling you to quickly pinpoint areas where logging should be enabled for better tracking and auditing.

select
task_definition_arn,
cd ->> 'Name' as container_name,
cd ->> 'LogConfiguration' as log_configuration
from
aws_ecs_task_definition,
jsonb_array_elements(container_definitions) as cd
where
cd ->> 'LogConfiguration' is null;
select
task_definition_arn,
json_extract(cd.value, '$.Name') as container_name,
json_extract(cd.value, '$.LogConfiguration') as log_configuration
from
aws_ecs_task_definition,
json_each(container_definitions) as cd
where
json_extract(cd.value, '$.LogConfiguration') is null;

Schema for aws_ecs_task_definition

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
compatibilitiesjsonbThe launch type to use with your task.
container_definitionsjsonbA list of container definitions in JSON format that describe the different containers that make up your task.
cpubigintThe number of cpu units used by the task.
deregistered_attimestamp with time zoneThe Unix timestamp for the time when the task definition was deregistered.
ephemeral_storage_size_in_gibbigintThe total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is 21 GiB and the maximum supported value is 200 GiB.
execution_role_arntextThe Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf.
familytext=The name of a family that this task definition is registered to.
inference_acceleratorsjsonbThe Elastic Inference accelerator associated with the task.
ipc_modetextThe IPC resource namespace to use for the containers in the task.
memorybigintThe amount (in MiB) of memory used by the task.
network_modetextThe Docker networking mode to use for the containers in the task.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
pid_modetextThe process namespace to use for the containers in the task.
placement_constraintsjsonbAn array of placement constraint objects to use for tasks.
proxy_configurationjsonbThe configuration details for the App Mesh proxy.
regiontextThe AWS Region in which the resource is located.
registered_attextThe Unix timestamp for when the task definition was registered.
registered_bytextThe principal that registered the task definition.
requires_attributesjsonbThe container instance attributes required by your task.
requires_compatibilitiesjsonbThe launch type the task requires. If no value is specified, it will default to EC2. Valid values include EC2 and FARGATE.
revisionbigintThe revision of the task in a particular family.
runtime_platformjsonbThe operating system that your task definitions are running on.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustext=The status of the task definition.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags associated with task.
task_definition_arntext=The Amazon Resource Name (ARN) that identifies the task definition.
task_role_arntextThe short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf.
titletextTitle of the resource.
volumesjsonbThe list of volume definitions for the task.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_ecs_task_definition