A comprehensive, production-ready AWS ECS/EKS container security scanner with 45 security checks across 8 categories and compliance mapping for 11 frameworks (128 controls). Supports both ECS and EKS clusters with multi-threaded scanning, secret detection in task definitions, and interactive HTML dashboards.
- ECS Cluster Security: Container Insights, execute command logging, cluster encryption, capacity provider strategy
- ECS Task Definitions: Privileged containers, root user, read-only root filesystem, Linux capabilities, network mode, logging, secrets in environment variables, resource limits, PID mode, execution roles
- ECS Service Security: ECS Exec access, public IP assignment, circuit breaker, Fargate platform version, security groups
- EKS Cluster Security: API endpoint access, secrets encryption, control plane logging, Kubernetes version, managed add-ons, Fargate profiles
- EKS Node Groups: Remote access, disk encryption, AMI type, launch templates
- IAM Security: Role separation (task vs execution), overly permissive roles, OIDC provider, execution policy on task roles
- Logging & Monitoring: GuardDuty runtime monitoring, VPC flow logs
- Data Protection: ECR scan-on-push, tag immutability, in-transit encryption
- AWS Foundational Security Best Practices (FSBP): 16 ECS/EKS controls
- CIS Amazon EKS Benchmark v2.0.0: 5 API-assessable controls
- EKS Node Hardening: 5 AWS-specific node group controls
- PCI DSS v4.0.1: 14 controls
- HIPAA Security Rule (45 CFR §164): 13 controls
- SOC 2 (2017 TSC, 2022 PoF): 15 controls
- ISO 27001:2022: 14 controls
- ISO 27017:2015: 7 cloud security controls
- ISO 27018:2019: 5 PII protection controls (superseded by 2025 edition; migration planned for v1.1)
- GDPR (EU) 2016/679: 10 controls
- NIST SP 800-53 Rev. 5 (Release 5.2.0): 24 controls
- Multi-threaded Scanning: Parallel cluster analysis with ThreadPoolExecutor
- Rich Console Output: Progress bars, colored output, and formatted tables
- Multiple Report Formats: JSON, CSV, HTML, and compliance-specific reports
- Beautiful HTML Reports: Interactive dashboard with Chart.js visualizations
- Flexible Targeting: Scan all clusters, specific names/ARNs, or filter by service type (ECS/EKS)
- Modular Architecture: Facade pattern with 8 dedicated checker modules
- Thread-safe Sessions: Thread-local boto3 session management
- Graceful Degradation: AccessDenied errors don't crash scans
- Dual-service Design: Unified scanning for both ECS and EKS with shared and service-specific checks
- Account-level Caching: ECR results fetched once per account and reused across clusters
# Install from source
git clone https://github.com/TocConsulting/ecs-eks-security-scanner.git
cd ecs-eks-security-scanner
pip install .# Build from source
docker build -t ecs-eks-security-scanner .# Scan all ECS and EKS clusters
ecs-eks-security-scanner security
# Scan with specific AWS profile
ecs-eks-security-scanner security --profile production
# Scan ECS clusters only
ecs-eks-security-scanner security -s ecs
# Scan EKS clusters only
ecs-eks-security-scanner security -s eks
# Scan specific cluster(s) by name
ecs-eks-security-scanner security -c my-cluster -c my-other-cluster
# Exclude specific clusters
ecs-eks-security-scanner security --exclude-cluster dev --exclude-cluster staging
# Compliance report only
ecs-eks-security-scanner security --compliance-onlyScan ECS/EKS clusters for security vulnerabilities and compliance issues.
ecs-eks-security-scanner security [OPTIONS]
Options:
-s, --service TEXT Service to scan: ecs, eks, all (default: all)
-c, --cluster TEXT Specific cluster name(s)/ARN(s) to scan (multiple)
--exclude-cluster TEXT Cluster name(s)/ARN(s) to exclude (multiple)
--compliance-only Generate compliance report only
-r, --region TEXT AWS region (default: us-east-1)
-p, --profile TEXT AWS profile name
-o, --output-dir TEXT Output directory (default: ./output)
-f, --output-format TEXT Report format: json, csv, html, all (default: all)
-w, --max-workers INTEGER Worker threads (default: 5)
-q, --quiet Suppress console output except errors
-d, --debug Enable debug logging
-h, --help Show help
# Top-level options (before the 'security' command):
# ecs-eks-security-scanner --version
# ecs-eks-security-scanner --helpExamples:
# Scan all clusters with default settings
ecs-eks-security-scanner security
# EKS only, specific region, with HTML output
ecs-eks-security-scanner security -s eks -r eu-west-1 -f html
# High-performance scan with more threads
ecs-eks-security-scanner security -w 20 -p production
# JSON report only, quiet mode (for CI/CD)
ecs-eks-security-scanner security -f json -q
# Fast compliance-only scan
ecs-eks-security-scanner security --compliance-only -f html# Show help
docker run --rm ecs-eks-security-scanner --help
# Show security command help
docker run --rm ecs-eks-security-scanner security --help# Scan using mounted AWS credentials
docker run --rm \
-v ~/.aws:/root/.aws:ro \
-v $(pwd)/output:/app/output \
ecs-eks-security-scanner security
# Scan with specific AWS profile
docker run --rm \
-v ~/.aws:/root/.aws:ro \
-v $(pwd)/output:/app/output \
ecs-eks-security-scanner security --profile production
# Scan ECS clusters only
docker run --rm \
-v ~/.aws:/root/.aws:ro \
-v $(pwd)/output:/app/output \
ecs-eks-security-scanner security -s ecsdocker run --rm \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_DEFAULT_REGION=us-east-1 \
-v $(pwd)/output:/app/output \
ecs-eks-security-scanner security
# With session token (for temporary credentials/assumed roles)
docker run --rm \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_SESSION_TOKEN \
-e AWS_DEFAULT_REGION=us-east-1 \
-v $(pwd)/output:/app/output \
ecs-eks-security-scanner security| Mount | Purpose |
|---|---|
-v ~/.aws:/root/.aws:ro |
Mount AWS credentials (read-only) |
-v $(pwd)/output:/app/output |
Save reports to local directory |
- Python 3.10 or higher
- Required packages (installed automatically):
boto3>=1.26.0botocore>=1.29.0rich>=13.0.0click>=8.1.0jinja2>=3.1.0
- AWS credentials configured (via AWS CLI, environment variables, or IAM roles)
- Required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"eks:ListClusters",
"eks:DescribeCluster",
"eks:ListNodegroups",
"eks:DescribeNodegroup",
"eks:ListAddons",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile",
"ecr:DescribeRepositories",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListOpenIDConnectProviders",
"guardduty:ListDetectors",
"guardduty:GetDetector",
"ec2:DescribeFlowLogs",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}| # | Category | Checks | Focus |
|---|---|---|---|
| A | ECS Cluster Configuration | 5 | Container Insights, execute command logging, cluster encryption, capacity providers, Service Connect |
| B | ECS Task Definition Security | 10 | Privileged containers, root user, read-only root FS, Linux capabilities, network mode, logging, secrets, resource limits, PID mode, execution role |
| C | ECS Service Security | 5 | ECS Exec, public IP assignment, circuit breaker, Fargate platform version, security groups |
| D | EKS Cluster Configuration | 8 | API endpoint access, secrets encryption, control plane logging, K8s version, security groups, managed add-ons, Fargate profiles |
| E | EKS Node Group Security | 4 | Remote access, disk encryption, AMI type, launch templates |
| F | IAM Security | 5 | Role separation, overly permissive roles, OIDC provider, execution policy on task role, cluster role permissions |
| G | Logging & Monitoring | 4 | Container Insights (alias A.1), control plane logging (alias D.4), GuardDuty, VPC flow logs |
| H | Data Protection | 4 | Cluster encryption (alias A.3/D.3), ECR scan-on-push, ECR tag immutability, in-transit encryption |
The scanner decodes and scans ECS task definition environment variables for exposed secrets:
| Pattern | Examples |
|---|---|
| AWS Access Keys | AKIA..., ASIA... |
| AWS Secret Keys | aws_secret_access_key=... |
| Passwords | PASSWORD=, DB_PASSWORD=, MYSQL_ROOT_PASSWORD= |
| Private Keys | -----BEGIN RSA PRIVATE KEY----- |
| GitHub Tokens | ghp_..., gho_..., ghs_... |
| API Keys | api_key=, api_token=, AUTH_TOKEN= |
| Connection Strings | postgres://user:pass@host/db |
ecs_eks_security_scanner/
├── scanner.py # Main scanner orchestration (facade pattern)
├── cli.py # Click CLI interface
├── compliance.py # 128 controls across 11 frameworks
├── html_reporter.py # Jinja2 HTML report generation
├── utils.py # Logging, scoring, formatting
├── checks/ # Security check modules
│ ├── base.py # BaseChecker (session factory, error handling)
│ ├── ecs_cluster.py # A.1-A.5: Container Insights, encryption
│ ├── ecs_task.py # B.1-B.10: Privileged, secrets, capabilities
│ ├── ecs_service.py # C.1-C.5: ECS Exec, public IPs, circuit breaker
│ ├── eks_cluster.py # D.1-D.8: Endpoint access, logging, add-ons
│ ├── eks_nodegroup.py # E.1-E.4: Remote access, disk encryption
│ ├── iam_security.py # F.1-F.5: Role separation, OIDC, permissions
│ ├── logging_monitoring.py # G.3-G.4: GuardDuty, VPC flow logs
│ └── data_protection.py # H.2-H.4: ECR scanning, tag immutability
└── templates/
└── report.html # Interactive HTML dashboard
Each cluster receives a security score (0-100) starting at 100 points.
| Security Issue | Points Deducted | Severity |
|---|---|---|
| Privileged containers (B.1) | -20 | CRITICAL |
| Secrets in environment variables (B.7) | -20 | CRITICAL |
| Overly permissive IAM roles (F.2) | -20 | CRITICAL |
| Root user containers (B.2) | -15 | HIGH |
| Non-awsvpc network mode (B.5) | -15 | HIGH |
| Public IP assignment (C.2) | -15 | HIGH |
| Execute command logging disabled (A.2) | -10 | HIGH |
| Read-only root FS not enforced (B.3) | -10 | HIGH |
| Dangerous Linux capabilities (B.4) | -10 | HIGH |
| Container logging not configured (B.6) | -10 | HIGH |
| Host PID mode (B.9) | -10 | HIGH |
| Execution role missing (B.10) | -10 | HIGH |
| Security groups not configured (C.5) | -10 | HIGH |
| Role separation missing (F.1) | -10 | HIGH |
| GuardDuty disabled (G.3) | -10 | HIGH |
| ECR scan-on-push disabled (H.2) | -10 | HIGH |
| Container Insights disabled (A.1) | -5 | MEDIUM |
| Cluster encryption disabled (A.3) | -5 | MEDIUM |
| Resource limits missing (B.8) | -5 | MEDIUM |
| ECS Exec without logging (C.1) | -5 | MEDIUM |
| Circuit breaker disabled (C.3) | -5 | MEDIUM |
| Fargate platform version outdated (C.4) | -5 | MEDIUM |
| Execution policy on task role (F.4) | -5 | MEDIUM |
| VPC flow logs disabled (G.4) | -5 | MEDIUM |
| ECR tag immutability disabled (H.3) | -5 | MEDIUM |
| In-transit encryption missing (H.4) | -5 | MEDIUM |
| Capacity provider strategy missing (A.4) | -2 | LOW |
| Service Connect not configured (A.5) | -2 | LOW |
| Security Issue | Points Deducted | Severity |
|---|---|---|
| Unrestricted public endpoint (D.1) | -20 | CRITICAL |
| End-of-life Kubernetes version (D.5) | -20 | CRITICAL |
| Overly permissive IAM roles (F.2) | -20 | CRITICAL |
| Secrets encryption disabled (D.3) | -15 | HIGH |
| Remote access unrestricted (E.1) | -15 | HIGH |
| OIDC provider not configured (F.3) | -15 | HIGH |
| Private endpoint disabled (D.2) | -10 | HIGH |
| Control plane logging incomplete (D.4) | -10 | HIGH |
| Disk encryption disabled (E.2) | -10 | HIGH |
| GuardDuty disabled (G.3) | -10 | HIGH |
| ECR scan-on-push disabled (H.2) | -10 | HIGH |
| Cluster security group missing (D.6) | -5 | MEDIUM |
| Managed add-ons missing (D.7) | -5 | MEDIUM |
| Fargate profiles private subnets (D.8) | -5 | MEDIUM |
| Insecure AMI type (E.3) | -5 | MEDIUM |
| Overly permissive cluster role (F.5) | -5 | MEDIUM |
| VPC flow logs disabled (G.4) | -5 | MEDIUM |
| ECR tag immutability disabled (H.3) | -5 | MEDIUM |
| In-transit encryption missing (H.4) | -5 | MEDIUM |
| Launch template not used (E.4) | -2 | LOW |
Formula: Score = max(0, 100 - total_deductions)
| Score Range | Level | Action |
|---|---|---|
| 90-100 | Excellent | Maintain current posture |
| 70-89 | Good | Address minor gaps |
| 50-69 | Needs Improvement | Fix medium-priority issues |
| 0-49 | Critical | Immediate action required |
The scanner generates reports in the specified output directory:
{
"summary": {
"scan_time": "2026-03-11T10:30:45",
"region": "us-east-1",
"account_id": "123456789012",
"total_clusters": 5,
"ecs_clusters": 3,
"eks_clusters": 2,
"average_security_score": 78.5
},
"results": [...]
}Spreadsheet-friendly format with all key metrics and compliance status.
Interactive dashboard with:
- Executive Summary: Key metrics and risk indicators
- Score Distribution: Bar chart of cluster security scores
- Compliance Overview: Table across all 11 frameworks
- Severity Breakdown: Doughnut chart of findings by severity
- Cluster Details: Table with scores, issue counts, and cluster type badges
- Per-Cluster Issues: Detailed finding tables with severity and recommendations
Per-cluster compliance evaluation across all 11 frameworks with passed/failed control details.
git clone https://github.com/TocConsulting/ecs-eks-security-scanner.git
cd ecs-eks-security-scanner
python -m venv venv
source venv/bin/activate
pip install -e ".[dev]"# Install development dependencies
pip install -e ".[dev]"
# Run all tests
python -m pytest tests/ -v
# Run specific test file
python -m pytest tests/test_compliance.py -v
# Run with coverage
python -m pytest tests/ --cov=ecs_eks_security_scanner --cov-report=htmltests/
├── test_cli.py # CLI option and command tests
├── test_compliance.py # 128 controls, 11 frameworks validation
├── test_scoring.py # ECS and EKS scoring logic
├── test_ecs_cluster.py # A.1-A.5 checks
├── test_ecs_task.py # B.1-B.10 checks (privileged, secrets)
├── test_ecs_service.py # C.1-C.5 checks
├── test_eks_cluster.py # D.1-D.8 checks (endpoint, logging)
├── test_eks_nodegroup.py # E.1-E.4 checks
├── test_iam_security.py # F.1-F.5 checks (roles, permissions)
├── test_logging_monitoring.py # G.3-G.4 checks (GuardDuty, flow logs)
├── test_data_protection.py # H.2-H.4 checks (ECR, encryption)
└── test_utils.py # Logging, formatting utilities
Tests use unittest.mock for AWS service mocking, allowing comprehensive testing without AWS resources.
- Documentation: Check this README and inline help (
--help) - Issues: Report bugs via GitHub Issues
We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
- AWS Security Best Practices: Based on official AWS security recommendations
- CIS Benchmarks: Implements CIS Amazon EKS Benchmark v2.0.0 controls
- s3-security-scanner: Architecture and design patterns
- ec2-security-scanner: Architecture and design patterns
Security Notice: This tool is designed for defensive security purposes only. Always ensure you have proper authorization before scanning AWS resources. The tool requires read-only permissions and does not modify any AWS resources.
Performance Note: The scanner uses account-level caching for ECR results and thread-safe boto3 sessions for parallel cluster scanning. Use -w to adjust parallelism based on your API rate limits.
