Deploy an ECS cluster using Fargate

To illustrate automated scanning, we will now deploy a sample ECS cluster that scales using Fargate. For the purposes of the lab this will consist of this sample PHP application running in a Docker Compose environment -

  1. Create a cluster configuration and create a cluster

    ecs-cli configure --cluster tutorial --default-launch-type FARGATE --config-name tutorial --region us-east-1
    ecs-cli up --cluster-config tutorial --ecs-profile tutorial-profile

    The output should show a VPC and two Subnets have been created:-

    INFO[0000] Created cluster                    cluster=tutorial region=us-east-1
    INFO[0000] Waiting for your cluster resources to be created...
    INFO[0000] Cloudformation stack status       stackStatus=CREATE_IN_PROGRESS
    INFO[0060] Cloudformation stack status       stackStatus=CREATE_IN_PROGRESS
    VPC created: vpc-046ed77edcd796e19
    Subnet created: subnet-045df8f58a51b2291
    Subnet created: subnet-0e4623283c4907ea7
    Cluster creation succeeded.
  2. We will use a bash script to create our ECS cluster. So first lets instantiate the script by copying and pasting the following commands

    cd /home/ec2-user/environment
    curl -s >
    chmod +x
  3. Now run the script, copying and pasting the VPC & Subnet values from the above out when prompted


    Note You can subsequently get the VPC and Subnet details requested from the ‘Resources’ tab on CloudFormation UI

    ECS Cluster

    The script will

    • Retrieve the id of the default security group for the VPC created, and allows inbound access on port 80

    • Create a ecs-params.yml file using the subnets and security group already retrieved. This file should look as follows

      version: 1
          task_execution_role: ecsTaskExecutionRole
          ecs_network_mode: awsvpc
            mem_limit: 0.5GB
            cpu_limit: 256
                - "subnet-045df8f58a51b2291"
                - "subnet-0e4623283c4907ea7"
                - "sg-3a1f94b6"
              assign_public_ip: ENABLED
    • Create a docker-compose.yaml to instantiate the image This file looks as follows

      version: '3'
              - "80:80"
              driver: awslogs
                awslogs-group: tutorial
                awslogs-region: us-east-1
                awslogs-stream-prefix: web

      Optionally, for details of this script you can run the following command

      cat ./
  4. Once the script has completed you can see details of of the ECS cluster on the Amazon ECS UI

Cluster Tutorial


  1. You can check of the ECS state by running ecs-cli ps

    Name                                           State    Ports                     TaskDefinition  Health
    tutorial/7c81f4d640b84a58a1b4ddf4dbaa0bb5/web  RUNNING>80/tcp  tutorial:1      UNKNOWN
  2. Check the deployed images with ecs-cli images

    REPOSITORY NAME     TAG                 IMAGE DIGEST                                                              PUSHED AT           SIZE                
    aws-workshop        latest              sha256:b9901958776c9c9881c1f7ba0e4c57f9715909eb7d78387a9481a4300585aab3   12 minutes ago      239MB               
  3. Browse to the sample application using the details in ecs-cli ps output (e.g.

    Sample PHP App

Obtain VPC & Subnet Info

You can execute the following to obtain the VPC & Subnet information

for resource in Vpc PubSubnetAz1 PubSubnetAz2
  aws cloudformation describe-stack-resources --stack-name $STACKNAME --query 'StackResources[?LogicalResourceId=='"'$resource'"'].PhysicalResourceId' --output text