(ec2): VPC flow log ECS record fields don't work

[isker]

Describe the feature

VPC flow logs support various ECS fields if one of the participants in the log record is an ECS task.

https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html

The documentation for each of these fields says:

To include this field in your subscription, you need permission to call ecs:XXX.

Where the exact permission varies. I'm guessing "you" means the flow logs service principal vpc-flow-logs.amazonaws.com, though I'm honestly not certain. Regardless, CDK generates no such grants, so these ECS fields are always empty even when ECS is involved in the flow.

Use Case

I want to investigate NAT gateway usage by ECS tasks. Without these records working, I have to correlate task ENI IP addresses to those appearing in the flow logs.

Proposed Solution

If any of the ECS LogFormats are used, FlowLog should grant the appropriate permissions.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.178.1

Environment details (OS name and version, etc.)

N/A

[jacklin213]

Currently to create Flow logs that support version 7 fields (ECS metadata) with the correct permissions you would have to use the FlowLogs construct similar to the following

const flowLog = new FlowLog(stack, 'FlowLogs', {
    resourceType: FlowLogResourceType.fromVpc(someVpc),
    destination: FlowLogDestination.toCloudWatchLogs(someLogGroup),
    logFormat: [
	LogFormat.ECS_CLUSTER_ARN,
	LogFormat.ECS_CLUSTER_NAME,
	LogFormat.ECS_CONTAINER_INSTANCE_ARN,
        LogFormat.ECS_CONTAINER_INSTANCE_ID,
	LogFormat.ECS_CONTAINER_ID,
	LogFormat.ECS_SECOND_CONTAINER_ID,
	LogFormat.ECS_SERVICE_NAME,
	LogFormat.ECS_TASK_DEFINITION_ARN,
	LogFormat.ECS_TASK_ARN,
	LogFormat.ECS_TASK_ID        
    ]
});
flowLog.iamRole?.addToPrincipalPolicy(
    new PolicyStatement({
        actions: [
            'ecs:ListClusters',  // Required for ECS_CLUSTER_ARN | ECS_CLUSTER_NAME | ECS_CONTAINER_INSTANCE_ARN | ECS_CONTAINER_INSTANCE_ID | ECS_CONTAINER_ID | ECS_SECOND_CONTAINER_ID | ECS_SERVICE_NAME | ECS_TASK_DEFINITION_ARN | ECS_TASK_ARN | ECS_TASK_ID
	    'ecs:ListServices', //  Required for ECS_SERVICE_NAME
	    'ecs:ListTaskDefinitions' // Required for ECS_TASK_DEFINITION_ARN
        ],
        effect: Effect.ALLOW,
	resources: ['*']
    }),
    new PolicyStatement({
        actions: [
	    'ecs:ListContainerInstances' // Required for ECS_CONTAINER_INSTANCE_ARN | ECS_CONTAINER_INSTANCE_ID 
        ],
        effect: Effect.ALLOW,
	resources: [...]  // This part would need to be scoped down to your cluster resource arn
    }),
    new PolicyStatement({
        actions: [
	    'ecs:ListTasks' // Required for ECS_TASK_ARN | ECS_TASK_ID
        ],
        effect: Effect.ALLOW,
	resources: [...]  // This part would need to be scoped down to your container-instance resource arn
    })
)

Note: For demonstration purposes I have modified the role that is auto created by the FlowLogs construct, but probably would be better to use your own custom role

---

In present day LogFormat is essentially just static strings so any permissions granting from the FlowLogs construct itself would have to happen within the constructor most likely around

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-flow-logs.ts

Lines 880 to 884 in 0c04e06

	if (props.logFormat) {
	customLogFormat = props.logFormat.map(elm => {
	return elm.value;
	}).join(' ');
	}

The permissions for ecs:ListClusters, ecs:ListServices and ecs:ListTaskDefinitions will be fairly straight forward since they just support wildcard resources *. Source: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html

I think the part that would be hard to incorporate into the existing FlowLogs construct is the scoping of the resource element for permissions such as ecs:ListTasks and ecs:ListContainerInstances as it would require some form of passing ECS resource attributes into the construct.

The other thing to think about is the mapping of LogFormat to IAM permissions

[isker]

Thanks for the write up.

• I think that would only work for CloudWatch today because the other destinations don’t result in a Role being created.
• ListServices and ListTasks can actually be scoped to a cluster with the ecs:cluster condition key, as the doc you linked shows.
• Are you sure all the scopeable actions would have to be restricted to specific clusters? Multiple clusters can be running in a VPC, and the set of clusters that need to be enumerated might not even be clear to the caller constructing the FlowLog. Are we obligated to produce the most restrictive policies possible, even with read-only actions like these?

[pahud]

Proposed Solution
If any of the ECS LogFormats are used, FlowLog should grant the appropriate permissions.

Thank you for the report @isker . Can you share a minimal code snippet as well as what permissions you expect to be auto generated? Meanwhile, we welcome PRs from the community.

[isker]

The policy @jacklin213 sketched above looks good, though implementation would get a lot easier if we did not need to scope grants to particular resources (i.e. we use wildcard for everything).