Free AWS Security Whitepaper
    Toc Consulting Logo
    Back to all tools

    ECS/EKS Security Scanner

    Production-ready ECS and EKS container security scanner with multi-framework compliance mapping

    A comprehensive, production-ready AWS ECS and EKS container security scanner with 45 security checks across 8 categories and compliance mapping for AWS FSBP, CIS Amazon EKS Benchmark, AWS EKS Node Hardening, PCI DSS, HIPAA, SOC 2, ISO 27001/27017/27018, GDPR, and NIST SP 800-53 Rev5 (11 frameworks, 128 controls total). Covers ECS clusters, services, and task definitions plus EKS clusters and node groups, with secret detection and multi-threaded scanning.

    View on GitHub

    Features

    Security Analysis (8 categories, 45 checks)

    • ECS Cluster: Container Insights, Execute Command logging, KMS encryption
    • ECS Task: privileged containers, non-root user, read-only FS, env-var secrets
    • ECS Service: ECS Exec, public IP, deployment circuit breaker, Fargate version
    • EKS Cluster: public endpoint, KMS secrets encryption, control-plane logs, version
    • EKS Node Group: SSH access, EBS encryption, AMI type, launch templates
    • IAM, Logging & Data Protection: role scope, GuardDuty, flow logs, ECR scanning

    Compliance

    • AWS FSBP (16 controls)
    • CIS Amazon EKS Benchmark v2.0.0 (5 controls)
    • AWS EKS Node Hardening (5 controls)
    • PCI DSS v4.0.1 (14 controls)
    • HIPAA Security Rule (13 controls)
    • SOC 2 (15 controls), ISO 27001/27017/27018
    • GDPR (10 controls), NIST 800-53 Rev5 (24 controls)

    Output

    • Security score 0-100 per cluster
    • JSON, CSV, HTML reports + compliance JSON
    • Interactive Chart.js dashboards
    • Read-only: List/Describe/Get IAM actions only

    Installation & Usage

    PyPI Installation

    pip install ecs-eks-security-scanner

    Docker

    docker pull tarekcheikh/ecs-eks-security-scanner:latest

    Commands

    # Scan all ECS and EKS clusters
ecs-eks-security-scanner security


# Scan ECS only, or EKS only
ecs-eks-security-scanner security -s ecs
ecs-eks-security-scanner security -s eks -r eu-west-1 -f html

    Security Checks

    Privileged Containers in ECS Task DefinitionCRITICAL
    Secrets in ECS Task Environment VariablesCRITICAL
    EKS Cluster Endpoint Publicly AccessibleCRITICAL
    Unsupported / EOL Kubernetes VersionCRITICAL
    Overly Permissive IAM RolesCRITICAL
    Auto-Assigned Public IP on ECS ServiceHIGH
    EKS Secrets Not Encrypted with KMSHIGH
    Unrestricted EKS Node Group SSH AccessHIGH
    ECS Container Insights DisabledMEDIUM
    Node Group Not Using Launch TemplateLOW

    Compliance Frameworks

    16 controls
    AWS FSBP
    5 controls
    CIS Amazon EKS v2.0.0
    5 controls
    AWS EKS Node Hardening
    14 controls
    PCI DSS v4.0.1
    13 controls
    HIPAA Security Rule
    15 controls
    SOC 2
    14 controls
    ISO 27001:2022
    10 controls
    GDPR
    24 controls
    NIST 800-53 Rev5

    Need Help Implementing?

    We can help you deploy and customize this tool for your specific needs, or build custom solutions.

    Contact Us