Account settings
You can go into Amazon ECS account settings to opt in or out of specific features. For each Amazon Web Services Region, you can opt in to, or opt out of, each account setting at the account-level or for a specific user or role.
You might want to opt in or out of specific features if any of the following is relevant to you:
-
A user or role can opt in or opt out specific account settings for their individual account.
-
A user or role can set the default opt-in or opt-out setting for all users on the account.
-
The root user can opt in to, or opt out of, any specific role or user on the account. If the account setting for the root user is changed, it sets the default for all the users and roles that no individual account setting was selected for.
Note
Federated users assume the account setting of the root user and can't have explicit account settings set for them separately.
The following account settings are available. The opt-in and opt-out option must be selected for each account setting separately.
- Amazon Resource Names (ARNs) and IDs
-
Resource names:
serviceLongArnFormat
,taskLongArnFormat
, andcontainerInstanceLongArnFormat
Amazon ECS is introducing a new format for Amazon Resource Names (ARNs) and resource IDs for Amazon ECS services, tasks, and container instances. The opt-in status for each resource type determines the Amazon Resource Name (ARN) format the resource uses. You must opt in to the new ARN format to use features such as resource tagging for that resource type. For more information, see Amazon Resource Names (ARNs) and IDs.
Only resources launched after opting in receive the new ARN and resource ID format. All existing resources aren't affected. For Amazon ECS services and tasks to transition to the new ARN and resource ID formats, you must recreate the service or task. To transition a container instance to the new ARN and resource ID format, the container instance must be drained and a new container instance must be launched and registered to the cluster.
Note
Tasks launched by an Amazon ECS service can only receive the new ARN and resource ID format if the service was created on or after November 16, 2018, and the user who created the service has opted in to the new format for tasks.
- AWSVPC trunking
-
Resource name:
awsvpcTrunking
Amazon ECS supports launching container instances with increased elastic network interface (ENI) density using supported Amazon EC2 instance types. When you use these instance types and opt in to the
awsvpcTrunking
account setting, additional ENIs are available on newly launched container instances. You can use this configuration to place more tasks using theawsvpc
network mode on each container instance. Using this feature, ac5.large
instance withawsvpcTrunking
enabled has an increased ENI quota of ten. The container instance has a primary network interface, and Amazon ECS creates and attaches a "trunk" network interface to the container instance. The primary network interface and the trunk network interface don't count against the ENI quota. Therefore, you can use this configuration to launch ten tasks on the container instance instead of the current two tasks. For more information, see Elastic network interface trunking.Only resources launched after opting in receive the the increased ENI limits. All the existing resources aren't affected. To transition a container instance to the increased ENI quotas, the container instance must be drained and a new container instance registered to the cluster.
- CloudWatch Container Insights
-
Resource name:
containerInsights
CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs from your containerized applications and microservices. The metrics include utilization for resources such as CPU, memory, disk, and network. Container Insights also provides diagnostic information, such as container restart failures, to help you isolate issues and resolve them quickly. You can also set CloudWatch alarms on metrics that Container Insights collects. For more information, see Amazon ECS CloudWatch Container Insights.
When you opt in to the
containerInsights
account setting, all new clusters have Container Insights enabled by default. You can disable this setting for specific clusters when you create them. You can also change this setting by using the UpdateClusterSettings API.For clusters that contain tasks or services using the EC2 launch type, your container instances must run version 1.29.0 or later of the Amazon ECS agent to use Container Insights. For more information, see Linux container instance management.
- Dual-stack VPC IPv6
-
Resource name:
dualStackIPv6
Amazon ECS supports providing tasks with an IPv6 address in addition to the primary private IPv4 address.
For tasks to receive an IPv6 address, the task must use the
awsvpc
network mode, must be launched in a VPC configured for dual-stack mode, and thedualStackIPv6
account setting must be enabled. For more information about other requirements, see Using a VPC in dual-stack mode.Important
The
dualStackIPv6
account setting can only be changed using either the Amazon ECS API or the Amazon CLI. For more information, see Modifying account settings.If you had a running task using the
awsvpc
network mode in an IPv6 enabled subnet between the dates of October 1, 2020 and November 2, 2020, the defaultdualStackIPv6
account setting in the Region that the task was running in isdisabled
. If that condition isn't met, the defaultdualStackIPv6
setting in the Region isenabled
. - Fargate FIPS-140 compliance
-
Resource name:
fargateFIPSMode
Fargate supports the Federal Information Processing Standard (FIPS-140) which specifies the security requirements for cryptographic modules that protect sensitive information. It is the current United States and Canadian government standard, and is applicable to systems that are required to be compliant with Federal Information Security Management Act (FISMA) or Federal Risk and Authorization Management Program (FedRAMP).
You must turn on FIPS-140 compliance. For more information, see Amazon Fargate Federal Information Processing Standard (FIPS-140).
Important
The
fargateFIPSMode
account setting can only be changed using either the Amazon ECS API or the Amazon CLI. For more information, see Modifying account settings. - Tag Resource Authorization
-
Resource name:
tagResourceAuthorization
Some Amazon ECS API actions allow you to specify tags when you create the resource.
Amazon ECS is introducing tagging authorization for resource creation. Users must have permissions for action that creates the resource, such as
ecsCreateCluster
. If tags are specified in the resource-creating action, Amazon performs additional authorization on theecs:TagResource
action to verify if users or roles have permissions to create tags. Therefore, you must grant explicit permissions to use theecs:TagResource
action. For more information, see Grant permission to tag resources on creation. - Fargate task retirement waiting period
-
Resource name:
fargateTaskRetirementWaitPeriod
Amazon is responsible for patching and maintaining the underlying infrastructure for Amazon Fargate. When Amazon determines that a security or infrastructure update is needed for an Amazon ECS task hosted on Fargate, the tasks need to be stopped and new tasks launched to replace them. You can configure the wait period before tasks are retired for patching. You have the option to retire the task immediately, to wait 7 calendar days, or to wait 14 calendar days.
This setting is at the account-level.
- Runtime Monitoring activation
-
Resource name:
guardDutyActivate
The
guardDutyActivate
parameter is read-only in Amazon ECS and indicates whether Runtime Monitoring is enabled or disabled by your security administrator in your Amazon ECS account. GuardDuty controls this account setting on your behalf. For more information, see Protecting Amazon ECS workloads with Runtime Monitoring.
Topics
- Amazon Resource Names (ARNs) and IDs
- ARN and resource ID format timeline
- Amazon Fargate Federal Information Processing Standard (FIPS-140) compliance
- Tagging authorization
- Tagging authorization timeline
- Amazon Fargate task retirement wait time
- Runtime Monitoring (Amazon GuardDuty integration)
- Viewing account settings using the console
- Modifying account settings
- Reverting to the default Amazon ECS account settings
- Account setting management using the Amazon CLI
Amazon Resource Names (ARNs) and IDs
When Amazon ECS resources are created, each resource is assigned a unique Amazon Resource Name (ARN) and resource identifier (ID). If you use a command line tool or the Amazon ECS API to work with Amazon ECS, resource ARNs or IDs are required for certain commands. For example, if you use the stop-task Amazon CLI command to stop a task, you must specify the task ARN or ID in the command.
You can opt in to and opt out of the new Amazon Resource Name (ARN) and resource ID format on a per-Region basis. Currently, any new account created is opted in by default.
You can opt in or opt out of the new Amazon Resource Name (ARN) and resource ID format at any time. After you opted in, any new resources that you create use the new format.
Note
A resource ID doesn't change after it's created. Therefore, opting in or out of the new format doesn't affect your existing resource IDs.
The following sections describe how ARN and resource ID formats are changing. For more
information about the transition to the new formats, see Amazon Elastic Container Service FAQ
Amazon Resource Name (ARN) format
Some resources have a user-friendly name, such as a service named
production
. In other cases, you must specify a resource using the
Amazon Resource Name (ARN) format. The new ARN format for Amazon ECS tasks, services, and
container instances includes the cluster name. For information about opting in to
the new ARN format, see Modifying account settings.
The following table shows both the current format and the new format for each resource type.
Resource type |
ARN |
---|---|
Container instance |
Current:
New:
|
Amazon ECS service |
Current:
New:
|
Amazon ECS task |
Current:
New:
|
Resource ID length
A resource ID takes the form of a unique combination of letters and numbers. New resource ID formats include shorter IDs for Amazon ECS tasks and container instances. The current resource ID format is 36 characters long. The new IDs are in a 32-character format that doesn't include any hyphens. For information about opting in to the new resource ID format, see Modifying account settings.
ARN and resource ID format timeline
The timeline for the opt-in and opt-out periods for the new Amazon Resource Name (ARN) and resource ID format for Amazon ECS resources ended on April 1, 2021. By default, all accounts are opted in to the new format. All new resources created receive the new format, and you can no longer opt out.
Amazon Fargate Federal Information Processing Standard (FIPS-140) compliance
You must turn on Federal Information Processing Standard (FIPS-140) compliance on Fargate. For more information, see Amazon Fargate Federal Information Processing Standard (FIPS-140).
Run put-account-setting-default
with the fargateFIPSMode
option set to enabled
. For more information, see, put-account-setting-default in the Amazon Elastic Container Service API Reference.
-
Example to turn on FIPS-140 compliance
aws ecs put-account-setting-default --name fargateFIPSMode --value enabled
Output
{ "setting": { "name": "fargateFIPSMode", "value": "enabled", "principalArn": "arn:aws:iam::123456789012:user" } }
You can run list-account-settings
to view the current FIPS-140 compliance
status. Use the effective-settings
option to view the account level
settings.
aws ecs list-account-settings --effective-settings
Tagging authorization
Amazon ECS is introducing tagging authorization for resource creation. Users must have
permissions for actions that create the resource, such as ecsCreateCluster
.
When you create a resource and specify tags for that resource, Amazon performs additional
authorization to verify that there are permissions to create tags. Therefore,
you must grant explicit permissions to use the ecs:TagResource
action. For
more information, see Grant permission to tag resources on
creation.
In order to opt in to tagging authorization, run
put-account-setting-default
with the
tagResourceAuthorization
option set to enable
. For more
information, see, put-account-setting-default in the Amazon Elastic Container Service API Reference. You can run list-account-settings
to view
the current tagging authorization status.
-
Example to turn on tagging authorization
aws ecs put-account-setting-default --name tagResourceAuthorization --value on --region
region
Output
{ "setting": { "name": "tagResourceAuthorization", "value": "on", "principalArn": "arn:aws:iam::123456789012:user" } }
After you opt in, you must configure the appropriate permissions to allow users to tag resources on creation. For more information, see Grant permission to tag resources on creation.
You can run list-account-settings
to view the current tagging authorization
status. Use the effective-settings
option to view the account level
settings.
aws ecs list-account-settings --effective-settings
Tagging authorization timeline
You can confirm whether tagging authorization is active by running
list-account-settings
to view the tagResourceAuthorization
value. When the value is on
, it means that the tagging authorization is in
use. For more information, see, list-account-settings in the Amazon Elastic Container Service API Reference.
The following are the important dates related to tagging authorization.
-
April 18, 2023 – Tagging authorization is introduced. All new and existing accounts must opt in to use the feature. You can opt in to start using tagging authorization. By opting in, you must grant the appropriate permissions.
Amazon Fargate task retirement wait time
Amazon sends out notifications when you have Fargate tasks running on a platform version revision marked for retirement. For more information, see Amazon Fargate task maintenance.
Important
If there is a critical security update, Amazon sends a notification, and then immediately retires the tasks.
You can configure the time that Fargate starts the task retirement. For workloads
that require immediate application of the updates, choose the
immediate setting (0
). When you need more control, for example,
when a task can only be stopped during a certain window, configure the 7 day
(7
), or 14 day (14
) option.
We recommend that you choose a shorter waiting period in order to pick up newer platform versions revisions sooner.
Configure the wait period by running
put-account-setting-default
or put-account-setting
as the root user. Use the
fargateTaskRetirementWaitPeriod
option for the name
and the value
option set to one of the following values:
-
0
- Amazon sends the notification, and immediately starts to retire the affected tasks. -
7
- Amazon sends the notification, and waits 7 calendar days before starting to retire the affected tasks. -
14
- Amazon sends the notification, and waits 14 calendar days before starting to retire the affected tasks.
The default is 14 days.
For more information, see, put-account-setting-default and put-account-setting in the Amazon Elastic Container Service API Reference.
Example to set the wait period to 14 days
aws ecs put-account-setting-default --name fargateTaskRetirementWaitPeriod --value 14
Output
{
"setting": {
"name": "fargateTaskRetirementWaitPeriod",
"value": "14",
"principalArn": "arn:aws:iam::123456789012:root",
"type: user"
}
}
You can run list-account-settings
to view the current Fargate task
retirement wait time. Use the effective-settings
option.
aws ecs list-account-settings --effective-settings
Runtime Monitoring (Amazon GuardDuty integration)
Runtime Monitoring is an intelligent threat detection service that protects workloads running on Fargate and EC2 container instances by continuously monitoring Amazon log and networking activity to identify malicious or unauthorized behavior.
The guardDutyActivate
parameter is read-only in Amazon ECS and indicates whether
Runtime Monitoring is enabled or disabled by your security administrator in your
Amazon ECS account. GuardDuty controls this account setting on your behalf. For more information, see Protecting Amazon ECS workloads with Runtime Monitoring.
You can run list-account-settings
to view the current GuardDuty integration
setting.
aws ecs list-account-settings
Output
{
"setting": {
"name": "guardDutyActivate",
"value": "on",
"principalArn": "arn:aws:iam::123456789012:doej",
"type": aws-managed"
}
}