Table: aws_ecs_task_definition - Query AWS ECS Task Definitions using SQL

The AWS ECS Task Definition is a blueprint that describes how a Docker container should launch. It specifies the Docker image to use for the container, the required resources, and other configurations. Task Definitions are used in conjunction with the Amazon Elastic Container Service (ECS) to run containers reliably on AWS.

Table Usage Guide

The aws_ecs_task_definition table in Steampipe provides you with information about the task definitions within AWS Elastic Container Service (ECS). This table allows you, as a DevOps engineer, to query task-specific details, including the task definition ARN, family, network mode, revision, and status. You can utilize this table to gather insights on task definitions, such as their configuration, associated IAM roles, container definitions, volumes, and more. The schema outlines the various attributes of the ECS task definition for you, including the task definition ARN, family, requires compatibility, and associated tags.

Examples

Basic info

Explore the configuration and status of task definitions in AWS ECS to understand their processing power and network configuration. This can be useful for optimizing resource allocation and network settings for better system performance.

select
  task_definition_arn,
  cpu,
  network_mode,
  title,
  status,
  tags
from
  aws_ecs_task_definition;

select
  task_definition_arn,
  cpu,
  network_mode,
  title,
  status,
  tags
from
  aws_ecs_task_definition;

Count the number of containers attached to each task definitions

Explore the distribution of containers across various task definitions to better manage and optimize the use of resources in an AWS ECS environment.

select
  task_definition_arn,
  jsonb_array_length(container_definitions) as num_of_conatiners
from
  aws_ecs_task_definition;

select
  task_definition_arn,
  json_array_length(container_definitions) as num_of_conatiners
from
  aws_ecs_task_definition;

List containers with elevated privileges on the host container instance

Determine the areas in which containers are operating with elevated privileges within your host container instance. This is useful to identify potential security risks and ensure secure configuration of your container infrastructure.

select
  task_definition_arn,
  cd ->> 'Privileged' as privileged,
  cd ->> 'Name' as container_name
from
  aws_ecs_task_definition,
  jsonb_array_elements(container_definitions) as cd
where
  cd ->> 'Privileged' = 'true';

select
  task_definition_arn,
  json_extract(cd.value, '$.Privileged') as privileged,
  json_extract(cd.value, '$.Name') as container_name
from
  aws_ecs_task_definition,
  json_each(container_definitions) as cd
where
  json_extract(cd.value, '$.Privileged') = 'true';

List task definitions with containers where logging is disabled

This query is useful in identifying all task definitions with containers where logging has been disabled in the AWS ECS system. This can aid in improving security and compliance by enabling you to quickly pinpoint areas where logging should be enabled for better tracking and auditing.

select
  task_definition_arn,
  cd ->> 'Name' as container_name,
  cd ->> 'LogConfiguration' as log_configuration
from
  aws_ecs_task_definition,
  jsonb_array_elements(container_definitions) as cd
where
  cd ->> 'LogConfiguration' is null;

select
  task_definition_arn,
  json_extract(cd.value, '$.Name') as container_name,
  json_extract(cd.value, '$.LogConfiguration') as log_configuration
from
  aws_ecs_task_definition,
  json_each(container_definitions) as cd
where
  json_extract(cd.value, '$.LogConfiguration') is null;

Query examples

Control examples

Schema for aws_ecs_task_definition

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
compatibilities	jsonb		The launch type to use with your task.
container_definitions	jsonb		A list of container definitions in JSON format that describe the different containers that make up your task.
cpu	bigint		The number of cpu units used by the task.
deregistered_at	timestamp with time zone		The Unix timestamp for the time when the task definition was deregistered.
ephemeral_storage_size_in_gib	bigint		The total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is 21 GiB and the maximum supported value is 200 GiB.
execution_role_arn	text		The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf.
family	text	=	The name of a family that this task definition is registered to.
inference_accelerators	jsonb		The Elastic Inference accelerator associated with the task.
ipc_mode	text		The IPC resource namespace to use for the containers in the task.
memory	bigint		The amount (in MiB) of memory used by the task.
network_mode	text		The Docker networking mode to use for the containers in the task.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
pid_mode	text		The process namespace to use for the containers in the task.
placement_constraints	jsonb		An array of placement constraint objects to use for tasks.
proxy_configuration	jsonb		The configuration details for the App Mesh proxy.
region	text		The AWS Region in which the resource is located.
registered_at	text		The Unix timestamp for when the task definition was registered.
registered_by	text		The principal that registered the task definition.
requires_attributes	jsonb		The container instance attributes required by your task.
requires_compatibilities	jsonb		The launch type the task requires. If no value is specified, it will default to EC2. Valid values include EC2 and FARGATE.
revision	bigint		The revision of the task in a particular family.
runtime_platform	jsonb		The operating system that your task definitions are running on.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
status	text	=	The status of the task definition.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags associated with task.
task_definition_arn	text	=	The Amazon Resource Name (ARN) that identifies the task definition.
task_role_arn	text		The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf.
title	text		Title of the resource.
volumes	jsonb		The list of volume definitions for the task.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_ecs_task_definition