This page is generated from skills/ecs-operation-review/references/task-definitions.md. Edit the source, not this page.
Section 03 — Task Definitions
Purpose
Assess task-definition hygiene: right-sized task CPU/memory, container image discipline, logging configuration, storage/volumes, and presence of task + execution roles. Grounded in the task-definition best-practices pillar (container images, task size, volumes).
Checks to Execute
3.1 — Task Size (CPU / Memory) Set and Reasonable
What to check:
- Task-level
cpuandmemoryset (required for Fargate; strongly recommended for EC2). - Container-level
memory(hard) vsmemoryReservation(soft) limits. - Obvious over/under-provisioning signals.
How to check:
aws ecs describe-task-definition --task-definition <arn>→ read taskcpu/memoryand each container'smemory/memoryReservation/cpu.
Rating:
- 🟢 GREEN: Task size set; container soft/hard limits present; sized to a valid Fargate CPU/memory combination where applicable.
- 🟡 AMBER: Only task-level limits, no container reservations (poor bin-packing on EC2), or suspected over-provisioning.
- 🔴 RED: No memory limit/reservation on EC2 tasks (a runaway container can starve the instance), or invalid/edge Fargate sizing.
- ⬜ UNKNOWN: Cannot describe task definitions.
Key talking point: On EC2, a container with no memory limit can consume the whole instance and destabilize co-located tasks. Dollar-level right-sizing → ecs-cost-intelligence. See ECS task sizes.
3.2 — Container Image Discipline
What to check:
- Images pinned to immutable digests/tags vs
:latest. - Registry source (private ECR vs public/Docker Hub).
How to check:
- From each container definition, inspect
imagefor:latest/no tag and registry host.
Rating:
- 🟢 GREEN: Specific version tags or digests from private ECR.
- 🟡 AMBER: Versioned but from public registries, or occasional
:latest. - 🔴 RED:
:latestwidely used (non-reproducible deployments) or images from untrusted public registries. - ⬜ UNKNOWN: Cannot read task definitions.
Key talking point: :latest breaks reproducibility and rollback — a re-pull can silently change the running code. See ECS container images. Image scanning/signing posture → Section 07 and ecs-security.
3.3 — Log Configuration Present (pointer — rated in 6.2)
What to check:
- Whether every container carries a
logConfigurationat all (awslogs,awsfirelens, etc.) — a task-definition-hygiene sanity check.
How to check:
- Inspect
containerDefinitions[].logConfiguration.logDriverwhile collecting task-definition data.
Rating: Do not score this item here. The presence/absence of a log driver (including the "no log driver → 🔴 RED" case), log routing, awslogs-stream-prefix, and delivery-mode are all rated once in observability check 6.2 to avoid double-counting across domains (see scoring-rubric.md). If you observe a container with no log driver while parsing task definitions, record the evidence and carry it into 6.2 — do not emit a separate 3.3 rating.
Full observability rating (driver presence, retention, routing, delivery mode, tracing) is Section 06; design help → ecs-observability.
3.4 — Task Role and Execution Role Assigned
What to check:
taskRoleArn(application AWS access) andexecutionRoleArn(image pull, secrets injection, log push) presence and separation.
How to check:
aws ecs describe-task-definition→taskRoleArn,executionRoleArn.
Rating (presence/separation only — least-privilege & role-reuse are rated once, in check 7.1, to avoid double-counting):
- 🟢 GREEN: Task role (for app AWS calls) and execution role (for the agent) each present where needed; task role present only when the app needs AWS access.
- 🟡 AMBER: An expected role ARN is missing where the workload plausibly needs it (e.g., no task role on an app that calls AWS services), without the hard-failure condition below. (If you notice the same role ARN reused for both fields, do not rate that here — role-reuse and least-privilege are scored in 7.1; record the evidence and defer.)
- 🔴 RED: No execution role where secrets/private-ECR pulls are used (tasks will fail to start).
- ⬜ UNKNOWN: Cannot read task definitions.
Scope note: This check rates presence and role separation at the task-definition level. The least-privilege, over-broad-policy, and execution-role-reused-as-task-role ratings live in security check 7.1 — do not re-score them here (see the consistency note in scoring-rubric.md on cross-domain duplicates). For the task-role vs execution-role explainer and deep role-trust remediation, see 7.1 and ecs-security. See ECS task IAM role.
3.5 — Storage / Volumes
What to check:
- Volume types (ephemeral, bind mounts, EFS, Fargate ephemeral storage sizing, EBS volumes for tasks).
- Sensitive data written to ephemeral storage without encryption considerations.
How to check:
- Inspect
volumesandcontainerDefinitions[].mountPointsin the task definition; for services, check configured EBS volume attachment.
Rating:
- 🟢 GREEN: Volume choice matches durability needs (EFS/EBS for persistence; ephemeral for scratch), encryption in place.
- 🟡 AMBER: Ephemeral storage used for data that should persist, or default sizing under pressure.
- 🔴 RED: Stateful data on ephemeral task storage with no backup/persistence path.
- ⬜ UNKNOWN: Cannot determine data criticality — flag for manual review.
Key talking point: See storage options for ECS tasks. Backup/DR posture is rated in Section 08.