Skip to content
Ask AI about this
Help improve this page

ECS clusters should have container insights enabled

Without Container Insights, you lose visibility into CPU and memory utilization, task counts, and service health across your ECS clusters. This turns capacity planning into guesswork and slows incident response because you lack the baseline metrics needed to detect anomalies.

Container Insights feeds data into CloudWatch, enabling alarms on task failures, resource saturation, and unexpected scaling events. Costs can increase materially depending on metric and log volume, so review CloudWatch and Container Insights pricing for your regions and workload scale.

Retrofit consideration

Enabling Container Insights on a running cluster does not cause downtime, but expect a noticeable increase in CloudWatch costs if you have many tasks. Review CloudWatch pricing before enabling on large clusters.

Implementation

Choose the approach that matches how you manage Terraform.

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

module "ecs" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/ecs/aws//modules/cluster"
  version = ">=6.0.0"

  name = "abc123"
  setting = [
    {
      name  = "containerInsights"
      value = "enabled"
    }
  ]
}


module "ecs" {
  source  = "nistcsfv11.compliance.tf/terraform-aws-modules/ecs/aws//modules/cluster"
  version = ">=6.0.0"

  name = "abc123"
  setting = [
    {
      name  = "containerInsights"
      value = "enabled"
    }
  ]
}

If you use terraform-aws-modules/ecs/aws//modules/cluster, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "ecs" {
  source  = "terraform-aws-modules/ecs/aws//modules/cluster"
  version = ">=6.0.0"

  name = "abc123"
  setting = [
    {
      name  = "containerInsights"
      value = "enabled"
    }
  ]
}

Use AWS provider resources directly. See docs for the resources involved: aws_ecs_cluster.

resource "aws_ecs_cluster" "this" {
  name = "pofix-abc123"

  setting {
    name  = "containerInsights"
    value = "enabled"
  }
}

What this control checks

In Terraform, the aws_ecs_cluster resource must include a setting block with name = "containerInsights" and value = "enabled". If the block is omitted entirely, Container Insights defaults to disabled unless account settings change the default for new clusters, and the control fails. Setting value = "disabled" also fails. The only passing configuration is an explicit value = "enabled". This control evaluates the cluster setting only. Successful telemetry and log delivery can still depend on IAM permissions and environment configuration.

Common pitfalls

  • Default is disabled

    Omitting the setting block from aws_ecs_cluster leaves Container Insights disabled unless account-level defaults are already in place. Declare the block explicitly for deterministic behavior. ECS account settings via aws ecs put-account-setting or aws ecs put-account-setting-default can affect defaults for new clusters, but do not retroactively change existing clusters.

  • Account-level setting does not retroactively fix clusters

    Running aws ecs put-account-setting-default --name containerInsights --value enabled only applies to clusters created after the change. Existing clusters stay non-compliant until updated individually via Terraform or aws ecs update-cluster-settings.

  • Fargate vs EC2 launch type cost differences

    Container Insights on Fargate collects fewer infrastructure metrics than on EC2 launch type since there are no instance-level metrics. Cost impact differs accordingly. If you toggle this on for a large Fargate fleet, review CloudWatch custom metrics pricing, each task emits performance data.

  • Enhanced Container Insights confusion

    AWS offers an enhanced version of Container Insights with deeper observability. The standard containerInsights setting with value = "enabled" satisfies this control. You do not need the enhanced variant for this specific check.

Audit evidence

Config rule evaluation results for ecs-cluster-container-insights-enabled showing each cluster as COMPLIANT. Supporting evidence includes the CloudWatch console showing active Container Insights dashboards with metrics flowing per cluster, and /aws/ecs/containerinsights/*/performance log groups in CloudWatch Logs with recent log streams.

For deeper verification, aws ecs describe-clusters --clusters <name> --include SETTINGS should return "name": "containerInsights", "value": "enabled" in the settings array.

Framework-specific interpretation

PCI DSS v4.0: Requirement 10 of PCI DSS v4.0 calls for logging and monitoring of system components to detect and respond to security events. Container Insights is one way to support that monitoring and evidence collection for containerized environments, covering data relevant to 10.2 and 10.4, but PCI DSS does not prescribe it as the only acceptable mechanism.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: ecs_cluster_container_insights_enabled

  • AWS Config Managed Rule: ECS_CONTAINER_INSIGHTS_ENABLED

  • Checkov Check: CKV_AWS_65

  • Powerpipe Control: aws_compliance.control.ecs_cluster_container_insights_enabled

  • Prowler Check: ecs_cluster_container_insights_enabled

  • AWS Security Hub Control: ECS.12

  • KICS Query: 97cb0688-369a-4d26-b1f7-86c4c91231bc

  • Trivy Check: AWS-0034

Last reviewed: 2026-03-09