Amazon Web Service (AWS)


Amazon Elastic Container Service (ECS) is a highly scalable and fast container management service, that helps you to easily deploy, manage, and scale containerized workloads on AWS within a cluster. With ECS, your containers are defined in a task definition that you use to run an individual task or task within a service, which is a configuration for running and maintaining a specified number of tasks simultaneously in a cluster. You can run tasks and services on serverless infrastructure managed by AWS Fargate or manage a cluster of Amazon EC2 instances on your own for more control over your infrastructure.

  • capacity_providers - (Optional, Deprecated use the aws_ecs_cluster_capacity_providers resource instead) List of short names of one or more capacity providers to associate with the cluster. Valid values also include FARGATE and FARGATE_SPOT.
  • configuration - (Optional) The execute command configuration for the cluster. Detailed below.
  • default_capacity_provider_strategy - (Optional, Deprecated use the aws_ecs_cluster_capacity_providers resource instead) Configuration block for capacity provider strategy to use by default for the cluster. Can be one or more. Detailed below.
  • name - (Required) Name of the cluster (up to 255 letters, numbers, hyphens, and underscores)
  • setting - (Optional) Configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster. Detailed below.
  • tags - (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.


  • execute_command_configuration - (Optional) The details of the execute command configuration. Detailed below.


  • kms_key_id - (Optional) The AWS Key Management Service key ID to encrypt the data between the local client and the container.
  • log_configuration - (Optional) The log configuration for the results of the execute command actions Required when logging is OVERRIDE. Detailed below.
  • logging - (Optional) The log setting to use for redirecting logs for your execute command results. Valid values are NONE, DEFAULT, and OVERRIDE.
  • cloud_watch_encryption_enabled - (Optional) Whether or not to enable encryption on the CloudWatch logs. If not specified, encryption will be disabled.
  • cloud_watch_log_group_name - (Optional) The name of the CloudWatch log group to send logs to.
  • s3_bucket_name - (Optional) The name of the S3 bucket to send logs to.
  • s3_bucket_encryption_enabled - (Optional) Whether or not to enable encryption on the logs sent to S3. If not specified, encryption will be disabled.
  • s3_key_prefix - (Optional) An optional folder in the S3 bucket to place logs in.


  • capacity_provider - (Required) The short name of the capacity provider.
  • weight - (Optional) The relative percentage of the total number of launched tasks that should use the specified capacity provider.
  • base - (Optional) The number of tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined.


  • name - (Required) Name of the setting to manage. Valid values: containerInsights.
  • value - (Required) The value to assign to the setting. Valid values are enabled and disabled.

Associating resources with a
Resources do not "belong" to a
Rather, one or more Security Groups are associated to a resource.
via Terraform:
The following HCL creates an ECS cluster with capacity providers

resource "aws_ecs_cluster" "example" {
 name = "example"

resource "aws_ecs_cluster_capacity_providers" "example" {
 cluster_name =

 capacity_providers = []

 default_capacity_provider_strategy {
   base              = 1
   weight            = 100
   capacity_provider =

resource "aws_ecs_capacity_provider" "example" {
 name = "example"

 auto_scaling_group_provider {
   auto_scaling_group_arn = aws_autoscaling_group.example.arn

via CLI:

[--cluster-name <value>]
[--tags <value>]
[--settings <value>]
[--configuration <value>]
[--capacity-providers <value>]
[--default-capacity-provider-strategy <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ecs create-cluster --cluster-name MyCluster --capacity-providers MyCapacityProvider1 MyCapacityProvider2 --default-capacity-provider-strategy capacityProvider=MyCapacityProvider1,weight=1 capacityProvider=MyCapacityProvider2,weight=1

Best Practices for

Categorized by Availability, Security & Compliance and Cost

Ensure default security groups are not in use by ECS
Explore all the rules our platform covers
All Resources