ECS cluster logging must be encrypted

Docs > Datadog Security > OOTB Rules > ECS cluster logging must be encrypted

Description

ECS clusters should have encrypted logging enabled for execute command sessions to protect sensitive data in transit and at rest.

Remediation

Configure your ECS cluster’s execute command logging with proper encryption by setting a KMS key ID and enabling encryption for CloudWatch Logs or S3 destinations in the log configuration. Refer to the Encryption best practices for Amazon ECS.