Amazon ECS

Polling metadata (tags) from Amazon's Cloudwatch for your EC2 Container Service is enabled by setting the correct permissions in the Amazon Identity & Access Management (IAM) policy for the AWS credentials used (See Settings > AWS > AWS Accounts).

If you have previously enabled Amazon cloud provider integration in the Sysdig Monitor web interface and have selected the IAM pre-configured "ReadOnlyAccess" managed policy, there are no further steps required.  The agent will be able to automatically detect and poll for ECS metadata.

Otherwise, if using a custom IAM policy, be sure to have at a minimum the following action entries to allow for polling metadata (example full policy shown):

{    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "ecs:Describe*",
                "ecs:List*",
                "ec2:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

 

If AWS integration is not enabled you may still see a subset of ECS tags which are available if the Sysdig agent is installed in your EC2 instances running your ECS cluster.  You can install the agent only if the ECS 'launch type' is EC2 and not Fargate. Fargate does not allow access to the underlying instances running your cluster.

Here are the tags you can expect to see available when searching with 'ecs'. Those tags retrieved by an installed agent are highlighted in yellow while the tags retrieved with AWS integration enabled are in green: 

ECS_TAGS.jpg

In addition to the 'ecs.cluster/service/task*' tags, when AWS integration is enabled with Cloudwatch polling, a new default grouping "AWS ECS" is visible in the grouping pull-down menu.

 

For complete instructions and example policies on integrating your Amazon infrastructure into Sysdig Monitor and enabling polling metrics and infrastructure information on RDS, EC2, ECS, and ELB, please see the following user guide: Integrating-Your-Cloud-Provider 

Install the Sysdig agent on each EC2 instance as a Docker container or via the native host installation.

Note:  The Sysdig agent cannot be deployed as an ECS task at this time.   

Have more questions? Submit a request