ECS Service Connect Access Logs Missing
ecs-service-connect-access-logs-missing
What this rule checks
Detects ECS services with Service Connect enabled but no access log configuration, leaving inter-service traffic unaudited.
How to fix it
- 1Set ServiceConnectConfiguration.LogConfiguration with a LogDriver such as awslogs
- 2Send Service Connect logs to a CloudWatch log group with a retention policy
- 3Confirm log group encryption is configured for sensitive workloads
import { App, Stack } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ecs from 'aws-cdk-lib/aws-ecs';
// FLAGGED: Service Connect enabled but no access logging.
new ecs.CfnService(this, 'Service', {
cluster: 'app-cluster',
taskDefinition: 'app-task:1',
serviceConnectConfiguration: {
enabled: true,
namespace: 'app.local',
},
});import { App, Stack } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ecs from 'aws-cdk-lib/aws-ecs';
// FIXED: Service Connect proxy logs go to CloudWatch.
new ecs.CfnService(this, 'Service', {
cluster: 'app-cluster',
taskDefinition: 'app-task:1',
serviceConnectConfiguration: {
enabled: true,
namespace: 'app.local',
logConfiguration: {
logDriver: 'awslogs',
options: {
'awslogs-group': '/ecs/service-connect',
'awslogs-region': 'us-east-1',
'awslogs-stream-prefix': 'sc',
},
},
},
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::ECS::ServiceIntentional? Suppress this finding
Sometimes a flag is deliberate — a genuinely public endpoint, say. You can dismiss ecs-service-connect-access-logs-missing and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "ecs-service-connect-access-logs-missing", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::ecs-service-connect-access-logs-missing',
reason: 'Why this is intentional',
});Use the rule ID ecs-service-connect-access-logs-missing shown above — not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs →
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app — free, no account, your code never leaves your machine.