ECS Logging Disabled
ecs-logging-disabled
What this rule checks
Detects ECS task definitions without logging configured.
How to fix it
- 1Configure awslogs log driver
- 2Set up CloudWatch log groups with retention
import { App, Stack } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ecs from 'aws-cdk-lib/aws-ecs';
// FLAGGED: container has no LogConfiguration.
new ecs.CfnTaskDefinition(this, 'Task', {
cpu: '256',
memory: '512',
containerDefinitions: [
{ name: 'app', image: 'nginx:1.27.3' },
],
});import { App, Stack } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ecs from 'aws-cdk-lib/aws-ecs';
// FIXED: awslogs driver ships container logs to CloudWatch.
new ecs.CfnTaskDefinition(this, 'Task', {
cpu: '256',
memory: '512',
containerDefinitions: [
{
name: 'app',
image: 'nginx:1.27.3',
logConfiguration: {
logDriver: 'awslogs',
options: {
'awslogs-group': '/ecs/app',
'awslogs-region': 'us-east-1',
'awslogs-stream-prefix': 'app',
},
},
},
],
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::ECS::TaskDefinitionIntentional? Suppress this finding
Sometimes a flag is deliberate โ a genuinely public endpoint, say. You can dismiss ecs-logging-disabled and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "ecs-logging-disabled", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::ecs-logging-disabled',
reason: 'Why this is intentional',
});Use the rule ID ecs-logging-disabled shown above โ not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ free, no account, your code never leaves your machine.