Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About Amazon Elastic Container Service (ECS)

The Amazon ECS connector collects clusters, services, tasks, task definitions, and container instance metadata for compliance evidence. AWS does not ship a single-purpose ECS read-only managed policy for this pattern. Use the ecs:Describe* / ecs:List* inline JSON below unless your cloud team supplies an equivalent.

How it works

Standard sts:AssumeRole trust toward Iru plus inline permissions covering ECS control-plane reads.
DetailValue
CategoryContainers
AuthenticationCross-account IAM role

Prerequisites

  • IAM rights to create roles and inline policies.
  • At least one ECS cluster if you expect immediate non-empty results.

Connect AWS ECS to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS ECS

Find AWS ECS (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Attach the ECS read inline policy

Add this inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:Describe*",
        "ecs:List*"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS ECS turns Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
External ID mismatch.
Confirm clusters exist in scanned Regions and the inline policy is actually attached.

Considerations

Covers ECS APIs, not workload logs inside…

Covers ECS APIs, not workload logs inside tasks - pair with logging sources if audits require runtime proof.

See also