Amazon Elastic Container Service

 General

1. What is Amazon Elastic Container Service?

Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances. Amazon ECS eliminates the need for you to install, operate, and scale your own cluster management infrastructure. With simple API calls, you can launch and stop container-enabled applications, query the complete state of your cluster, and access many familiar features like security groups, Elastic Load Balancing, Amazon Elastic Block Store (EBS) volumes, and Identity Access Management (IAM). roles. You can use Amazon ECS to schedule container placement across your cluster based on your resource needs and availability requirements. You can also integrate your own scheduler or third-party schedulers to meet business or application specific requirements.

 

2. Why should I use Amazon ECS?

Amazon ECS makes it easy to use containers as a building block for your applications by eliminating the need for you to install, operate, and scale your own cluster management infrastructure. Amazon ECS lets you schedule long-running applications, services, and batch processes using Docker containers. Amazon ECS maintains application availability and allows you to scale your containers up or down to meet your application's capacity requirements. Amazon ECS is integrated with familiar features like Elastic Load Balancing, EBS volumes, Amazon Virtual Private Cloud (VPC), and IAM. Simple APIs let you integrate and use your own schedulers or connect Amazon ECS into your existing software delivery process.

 

3. What is the pricing for Amazon ECS?

There is no additional charge for Amazon ECS. You pay for AWS resources (e.g. Amazon EC2 instances or EBS volumes) you create to store and run your application. You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments.

 

4. How is Amazon ECS different from AWS Elastic Beanstalk?

AWS Elastic Beanstalk is an application management platform that helps customers easily deploy and scale web applications and services. It keeps the building block provisioning (e.g., EC2, Amazon RDS, Elastic Load Balancing, AWS Auto Scaling, and Amazon CloudWatch), application deployment, and health monitoring abstracted from the user so they can focus on writing code. You simply specify which container images to  deploy, the CPU and memory requirements, the port mappings, and the container links.

Elastic Beanstalk will automatically handle all the details such as provisioning an Amazon ECS cluster, balancing load, auto-scaling, monitoring, and container placement across your cluster. Elastic Beanstalk is ideal if you want to leverage the benefits of containers withthe simplicity of deploying applications from development to production by uploading a container image. You can work with Amazon ECS directly if you want more fine-grained control for custom application architectures.

 

5. How is Amazon ECS different from AWS Lambda?

Amazon ECS is a highly scalable Docker container management service that allows you to run and manage distributed applications that run in Docker containers. AWS Lambda is an event-driven task compute service that runs your code in response to “events” such as changes in data, website clicks, or messages from other AWS services without you having to manage any compute infrastructure.

 

Using Amazon ECS

6. How do I get started using Amazon ECS?

Visit our Getting Started page for more information on how to start using Amazon ECS.

 

7. Does Amazon ECS support any other container types?

No. Docker is the only container platform supported by Amazon ECS at this time.

 

8. I want to launch containers. Why do I have to launch tasks?

Docker encourages you to split your applications up into their individual components, and Amazon ECSis optimized for this pattern. Tasks allow you to define a set of containers you would like to place together (or part of the same placement decision), their properties, and how they may be linked. Tasks include all the information Amazon ECS needs to make the placement decision. To launch a single container, your task Definition should only include one container definition.

 

9. Does Amazon ECS support applications and services?

Yes. The Amazon ECS Service scheduler can manage long-running applications and services. The service scheduler helps you maintain application availability and allows you to scale your containers up or down to meet your application's capacity requirements. The service scheduler allows you to distribute traffic across your containers using Elastic Load Balancing (ELB). Amazon ECS will automatically register and deregister your containers from the associated load balancer.

The service scheduler will also automatically recover containers that become unhealthy (i.e. fail ELB health checks) or stop running to ensure you have the desired number of healthy containers supporting your application.

You can scale your application up and down by changing the number of containers you want the service to run. You can update your application by changing its definition or using a new image. The scheduler will automatically start new containers using the new definition and stop containers running the previous version (waiting for the ELB connections to drain if ELB is used).

 

10. Does Amazon ECS support dynamic port mapping?

Yes. It is possible to associate a service on Amazon ECS to an Application Load Balancer (ALB) for the ELB service. The ALB supports a target group containing a set of instance ports. You can specify a dynamic port in the ECS task definition which gives the container an unused port when it is scheduled on the EC2 instance. The ECS scheduler will automatically add the task to the Application Load Balancer’s target group using this port.

 

11. Does Amazon ECS support batch jobs?

Yes. You can use Amazon ECS Run task to run one or more tasks once. Run task starts the task on an instance that meets the task’s requirements including CPU, memory, and ports.

12. Can I use my own scheduler with Amazon ECS?

ECS provides Blox, a collection of open-source projects for container management and orchestration. Blox makes it easy to consume events from Amazon ECS, store the cluster state locally, and query the local data store through APIs. Blox also includes a daemon scheduler that can be used as a reference for how to use the cluster state server. See the Blox GitHub page to learn more.

 

13. Can I use my own Amazon Machine Image (AMI)?

Yes. You can use any AMI that meets the Amazon ECS AMI specification. We recommend starting from the Amazon ECS-enabled Amazon Linux AMI. Partner AMIs compatible with Amazon ECS are also available. You can review the Amazon ECS AMI specification in the documentation.

 

14. How can I configure my container instances to pull from Amazon Elastic Container Registry?

Amazon ECR is integrated with Amazon ECS allowing you to easily store, run, and manage container images for applications running on Amazon ECS. All you need to do is specify the Amazon ECR repository in your task Definition and attach the AmazonEC2ContainerServiceforEC2Role to your instances. Then Amazon ECS will retrieve the appropriate images for your applications.

 

15. How does AWS Fargate work with Amazon ECS?

With Fargate, the concept of server provisioning, cluster management, and orchestration completely goes away. Amazon ECS uses containers provisioned by Fargate to automatically scale, load balance, and manage scheduling of your containers for availability, providing an easier way to build and operate containerized applications.

 

16. How should I choose between using AWS Fargate with Amazon ECS or just using ECS?

Amazon ECS supports Fargate technology and customers canchoose AWS Fargate to launch their containers without having to provision or manage Amazon EC2 instances. AWS Fargate is the easiest way to launch and run containers on AWS. Customersr equiring greater control of their EC2 instances (to support compliance and governance requirements or broader customization options) can choose to use ECS without Fargate to launch EC2 instances.

 

Security and Compliance

17. How does Amazon ECS isolate containers belonging to different customers?

Amazon ECS schedules containers for execution on customer-controlled Amazon EC2 instances or with AWS Fargate and builds on the same isolation controls and compliance settings available for EC2 customers. Your compute instances are located in a Virtual Private Cloud (VPC) with an IP range that you specify. You decide which instances are exposed to the Internet and which remain private.

·      Your EC2 instances use an IAM role to access the ECS service.

·      Your ECS tasks use an IAM role to access services and resources.

·      Security Groups and networks ACLs allow you to control inbound and outbound network access to and from your instances.

·      You can connect your existing IT infrastructure to resources in your VPC using industry-standard encrypted IPsec VPN connections.

·      You can provision your EC2 resources as Dedicated Instances. Dedicated Instances are Amazon EC2 Instances that run on hardware dedicated to a single customer for additional isolation.

 

18. Can I apply additional security configuration and isolation frameworks to my container instances?

Yes. As an Amazon EC2 customer, you have root access to the operating system (OS) of your container instances. You can take ownership of the OS security settings, as well as configure additional software components for security capabilities such as monitoring, patch management, log management, and host intrusion detection.

 

19. Can I operate container instances with different security settings or segregate different tasks across different environments?

Yes. You can configure your different container instances using the tooling of your choice. Amazon ECS allows you to control the placement of tasks in different container instances through the construct of clusters and targeted launches.

 

20. Does Amazon ECS support retrieving Docker images from a private or internal source?

Yes. Customers can configure their container instances to access a private Docker image registry within a VPC or a registry that’s accessible outside a VPC such as Amazon Elastic Container Registry (ECR).

 

21. How do I configure IAM roles for ECS tasks?

You first need to create an IAM role for your task, using the 'Amazon EC2 Container Service Task Role’ service role and attaching a policy with the required permissions. When you create a new task definition or a task definition revision, you can then specify a role by selecting it from the ’Task Role’ drop-down or using the ‘taskRoleArn’ filed in the JSON format.

 

22. With which compliance programs does Amazon ECS conform?

Amazon ECS meets the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and HIPAA eligibility.

For more information, visit our compliance pages.

 

23. Can I use Amazon ECS for Protected Health Information (PHI) and other HIPAA-regulated workloads?

Yes. Amazon ECS is HIPAA-eligible. If you have an executed Business Associate Addendum (BAA) with AWS, you can use Amazon ECS to process encrypted Protected Health Information (PHI) using Docker containers deployed onto the AWS Fargate launch-type or Amazon EC2 compute instances.

For more information, please visit our page on HIPAA compliance. If you plan to process, store, or transmit PHI and do not have an executed BAA from AWS, please contact us for more information.

 

24. Can I use Amazon ECS for US Government-regulated workloads or processing sensitive Controlled Unclassified Information (CUI)?

Yes. By using the AWS GovCloud (US) region, containers and clusters managed by Amazon ECS can meet the requirements to sensitive data and regulated workloads with your containers.

For more information, visit our page on AWS GovCloud.

 

Service Level Agreement (SLA)

25. What does the Amazon ECS SLA guarantee?

Our Compute SLA guarantees a Monthly Uptime Percentage of at least 99.99% for Amazon ECS.

 

26. How do I know if I qualify for a SLA Service Credit?

You are eligible for an SLA credit for Amazon ECS under the Compute SLA if more than one Availability Zone in which you are running a task, within the same region has a Monthly Uptime Percentage of less than 99.99% during any monthly billing cycle.

For full details on all of the terms and conditions of the SLA, as well as details on how to submit a claim, please see the Compute SLA details page.