How to get the security-group for an ECS cluster

Question

When creating an EC2-mode ECS cluster, you must assign/create a security group:

However, there appears to be no way to retrieve the ARN/name of the security group afterward.

UI:

CLI:

$ aws ecs describe-clusters --clusters extraction
{
    "clusters": [
        {
            "clusterArn": "arn:aws:ecs:us-east-1:326764833890:cluster/extraction",
            "clusterName": "extraction",
            "status": "ACTIVE",
            "registeredContainerInstancesCount": 0,
            "runningTasksCount": 0,
            "pendingTasksCount": 0,
            "activeServicesCount": 0,
            "statistics": [],
            "tags": [],
            "settings": [
                {
                    "name": "containerInsights",
                    "value": "disabled"
                }
            ],
            "capacityProviders": [
                "FARGATE_SPOT",
                "FARGATE"
            ],
            "defaultCapacityProviderStrategy": []
        }
    ],
    "failures": []
}

Assume there are no services that can be expected:

As this is a cluster semantic, I would assume there is a cluster solution to inspecting this information. That said, I'm close to assuming that this information is not actually [exposed] in ECS and might only, actually, be found by looking at the actual instances in EC2.

Note that it's interesting that the "attributes" under the "ECS Instances" tab shows a machine class but, yet, not the security group:

Tim · Answer 1 · 2021-05-25T20:20:09.187

1

Go to ECS, click clusters, click on your cluster, then click on the service. Under the details tab look at the "Network Access" area, security groups are listed. This works for clusters on Fargate, not sure if you're using EC2 instances.

If you only have tasks go into the cluster, click tasks, then select one task. Copy the ENI ID. Open the EC2 console, click "Network Interfaces", and use the search function to search for the ENI ID you copied. The security group is listed there.

edited May 25 '21 at 20:20

answered May 25 '21 at 19:01

Tim

30,383
6
47
77

What if there are no services? What is this is a task-only cluster? Updated the question. – Dustin Oprea May 25 '21 at 20:04
My second option works in that situation. I've edited my answer to give you more details. – Tim May 25 '21 at 20:20

GilShalit · Answer 2 · 2021-11-07T08:53:55.977

-1

If someone is still stuck with this, I have found that if you go to the security groups list under Network & Security in the EC2 Management console, you will likely be able to identify the security group by name because the name will contain the Cluster name!

Hope this helps.

edited Nov 07 '21 at 08:53

answered Nov 04 '21 at 10:33

GilShalit

119
6

1

This is mentioned at the bottom of the question. The purpose of the question is to determine if there is a way to find it in the ECS context. – Dustin Oprea Nov 07 '21 at 06:35
All I see in the OP is where the security group is not mentioned in ECS :) so just trying to be helpful here. – GilShalit Nov 07 '21 at 08:49

How to get the security-group for an ECS cluster

2 Answers2