When creating an EC2-mode ECS cluster, you must assign/create a security group:
However, there appears to be no way to retrieve the ARN/name of the security group afterward.
UI:
CLI:
$ aws ecs describe-clusters --clusters extraction
{
"clusters": [
{
"clusterArn": "arn:aws:ecs:us-east-1:326764833890:cluster/extraction",
"clusterName": "extraction",
"status": "ACTIVE",
"registeredContainerInstancesCount": 0,
"runningTasksCount": 0,
"pendingTasksCount": 0,
"activeServicesCount": 0,
"statistics": [],
"tags": [],
"settings": [
{
"name": "containerInsights",
"value": "disabled"
}
],
"capacityProviders": [
"FARGATE_SPOT",
"FARGATE"
],
"defaultCapacityProviderStrategy": []
}
],
"failures": []
}
Assume there are no services that can be expected:
As this is a cluster semantic, I would assume there is a cluster solution to inspecting this information. That said, I'm close to assuming that this information is not actually [exposed] in ECS and might only, actually, be found by looking at the actual instances in EC2.
Note that it's interesting that the "attributes" under the "ECS Instances" tab shows a machine class but, yet, not the security group:
Go to ECS, click clusters, click on your cluster, then click on the service. Under the details tab look at the "Network Access" area, security groups are listed. This works for clusters on Fargate, not sure if you're using EC2 instances.
If you only have tasks go into the cluster, click tasks, then select one task. Copy the ENI ID. Open the EC2 console, click "Network Interfaces", and use the search function to search for the ENI ID you copied. The security group is listed there.
If someone is still stuck with this, I have found that if you go to the security groups list under Network & Security in the EC2 Management console, you will likely be able to identify the security group by name because the name will contain the Cluster name!
Hope this helps.