Amazon ECS
Amazon ECS (Elastic Container Service) by Amazon Web Services (AWS) provides container orchestration for deploying, managing, and scaling containerized applications. You can bring cluster, service, task, and task definition data from Amazon ECS into Brinqa to gain a unified view of your container workloads, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Amazon ECS and how to obtain that information from Amazon. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Amazon ECS from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Amazon ECS with Brinqa:
-
Access key ID and Secret access key: The access keys associated with the AWS account. The account must have the required read-only permissions for the specific AWS service. For additional information, see Create an IAM user for AWS access.
-
Default region: The AWS region for the connector. If not specified, the connector uses the AWS Default Region Provider Chain.
Create an IAM user for AWS access
For detailed steps on creating an IAM user and obtaining access keys, see the Amazon EC2 connector documentation. Follow the same process, but attach the required ECS permissions (ecs:ListClusters, ecs:DescribeClusters, ecs:ListServices, ecs:DescribeServices, ecs:ListTasks, ecs:DescribeTasks, ecs:ListTaskDefinitions, ecs:DescribeTaskDefinition) instead of the EC2 permissions.
The connector authenticates using the AWS SDK's credential resolution chain. If an assume-role ARN is configured, the connector assumes that IAM role using the provided credentials. Otherwise, it uses the provided access keys directly, falling back to the AWS Default Credential Provider Chain (environment variables, ~/.aws/credentials, or EC2 instance metadata).
Additional settings
The Amazon ECS connector contains additional options for specific configuration:
-
Assume role ARN: ARN of an IAM role to assume. Comma-separated to assume multiple roles in the same sync.
-
Session duration: Assume-role session duration in seconds. The default setting is 3600.
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Amazon ECS API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The Amazon ECS connector can retrieve the following types of data from the Amazon ECS API:
Table 1: Data retrieved from Amazon ECS
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| EcsCluster | Yes | Cloud Resource |
| EcsService | Yes | Cloud Resource |
| EcsTask | Yes | Cloud Resource |
| EcsTaskDefinition | Yes | Cloud Resource |
For detailed steps on how to view the data retrieved from Amazon ECS in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
EcsCluster
Table 2: EcsCluster attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
cluster.activeServicesCount | ACTIVE_SERVICES_COUNT |
cluster.capacityProviders | CAPACITY_PROVIDERS |
cluster.clusterArn | CLUSTER_ARN |
cluster.clusterArn | UID |
cluster.clusterName | CLUSTER_NAME |
cluster.clusterName (fallback: ARN) | NAME |
cluster.pendingTasksCount | PENDING_TASKS_COUNT |
cluster.registeredContainerInstancesCount | REGISTERED_CONTAINER_INSTANCE_COUNT |
cluster.runningTasksCount | RUNNING_TASKS_COUNT |
cluster.status | SOURCE_STATUS |
cluster.tags | TAGS |
Generated (constant AWS) | CLOUD_PROVIDER |
| Generated (sync region) | REGION |
| Generated (sync timestamp) | LAST_CAPTURED |
EcsService
Table 3: EcsService attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
awsvpcConfiguration.assignPublicIp == ENABLED | ASSIGN_PUBLIC_IP |
awsvpcConfiguration.securityGroups | SECURITY_GROUP_IDS |
awsvpcConfiguration.subnets | SUBNET_IDS |
service.clusterArn | CLUSTER_ARN |
service.createdAt | FIRST_SEEN |
service.desiredCount | DESIRED_COUNT |
service.launchTypeAsString() | LAUNCH_TYPE |
service.loadBalancers[*].targetGroupArn | TARGET_GROUP_ARNS |
service.pendingCount | PENDING_COUNT |
service.platformFamily | PLATFORM_FAMILY |
service.platformVersion | PLATFORM_VERSION |
service.roleArn | SERVICE_ROLE_ARN |
service.runningCount | RUNNING_COUNT |
service.schedulingStrategyAsString() | SCHEDULING_STRATEGY |
service.serviceArn | SERVICE_ARN |
service.serviceArn | UID |
service.serviceName | SERVICE_NAME |
service.serviceName (fallback: ARN) | NAME |
service.status | SOURCE_STATUS |
service.tags | TAGS |
service.taskDefinition | TASK_DEFINITION |
Generated (constant AWS) | CLOUD_PROVIDER |
| Generated (sync region) | REGION |
| Generated (sync timestamp) | LAST_CAPTURED |
EcsTask
Table 4: EcsTask attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
attachment details networkInterfaceId | NETWORK_INTERFACE_IDS |
attachment details privateIPv4Address | PRIVATE_IP_ADDRESSES |
attachment details subnetId | SUBNET_IDS |
task.availabilityZone | AVAILABILITY_ZONE |
task.clusterArn | CLUSTER_ARN |
task.containerInstanceArn | CONTAINER_INSTANCE_ARN |
task.containers[*].image | CONTAINER_IMAGES |
task.cpu | CPU |
task.createdAt | FIRST_SEEN |
task.desiredStatus | DESIRED_STATUS |
task.group | GROUP |
task.lastStatus | SOURCE_STATUS |
task.launchTypeAsString() | LAUNCH_TYPE |
task.memory | MEMORY |
task.platformVersion | PLATFORM_VERSION |
task.startedAt | LAST_STARTED |
task.stoppedAt | LAST_STOPPED |
task.tags | TAGS |
task.taskArn | NAME |
task.taskArn | TASK_ARN |
task.taskArn | UID |
task.taskDefinitionArn | TASK_DEFINITION_ARN |
Generated (constant AWS) | CLOUD_PROVIDER |
| Generated (sync region) | REGION |
| Generated (sync timestamp) | LAST_CAPTURED |
EcsTaskDefinition
Table 5: EcsTaskDefinition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
containerDefinitions[*].environment[*].name | ENVIRONMENT_KEYS |
containerDefinitions[*].image | CONTAINER_IMAGES |
containerDefinitions[*].secrets[*] | SECRET_REFS |
family:revision (fallback: ARN) | NAME |
taskDefinition.cpu | CPU |
taskDefinition.executionRoleArn | EXECUTION_ROLE_ARN |
taskDefinition.family | FAMILY |
taskDefinition.memory | MEMORY |
taskDefinition.networkModeAsString() | NETWORK_MODE |
taskDefinition.registeredAt | FIRST_SEEN |
taskDefinition.requiresCompatibilitiesAsStrings() | REQUIRES_COMPATIBILITIES |
taskDefinition.revision | REVISION |
taskDefinition.statusAsString() | SOURCE_STATUS |
taskDefinition.taskDefinitionArn | TASK_DEFINITION_ARN |
taskDefinition.taskDefinitionArn | UID |
taskDefinition.taskRoleArn | TASK_ROLE_ARN |
Generated (constant AWS) | CLOUD_PROVIDER |
| Generated (sync region) | REGION |
| Generated (sync timestamp) | LAST_CAPTURED |
Operation options
The Amazon ECS connector supports the following operation options. See connector operation options for information about how to apply them.
Table 6: Amazon ECS operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| EcsTask | fetchStoppedTasks | true, false | When set to true, the connector additionally retrieves tasks with desiredStatus=STOPPED. By default, only tasks with desiredStatus=RUNNING are synced. Enabling this option increases sync volume in busy clusters. The default value is false. | Key: fetchStoppedTasks Value: true. This key and value combination retrieves both running and recently stopped tasks. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Amazon ECS connector uses the Amazon ECS API. Specifically, it uses the following endpoints:
Table 7: Amazon ECS API endpoints
| Connector Object | API Endpoint |
|---|---|
| EcsCluster | ecs:ListClusters ecs:DescribeClusters |
| EcsService | ecs:ListClusters ecs:ListServices ecs:DescribeServices |
| EcsTask | ecs:ListClusters ecs:ListTasks ecs:DescribeTasks |
| EcsTaskDefinition | ecs:ListTaskDefinitions ecs:DescribeTaskDefinition |
Changelog
The Amazon ECS connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 8: Amazon ECS changelog
| Version | Description | Date Published |
|---|---|---|
| 3.1.0 | Initial Integration+ release. | June 1st, 2026 |