Monitoring ECS task scale-in protection

The task scale-in events are managed by the Application Auto Scaling service. You can monitor these events using Amazon EventBridge, as described in this documentation.

Regarding tasks that are protected during a scale-in event, there is currently no direct way to retrieve this information, and no dedicated metric is available. However, you can retrieve the Task Protection status either from the Amazon ECS container agent endpoint or through the GetTaskProtection Amazon ECS API.

To address your requirements, you can implement a logic (AWS Lambda) that will be triggered by Amazon EventBridge whenever a scale-in event occurs. This logic should call the GetTaskProtection API for all running tasks to determine which tasks currently have the Task Protection status enabled.

I recommend opening an issue in the GitHub Containers Roadmap and providing your use case. This will allow the AWS team to consider implementing a dedicated Task Protection status metric that can be published automatically to Amazon CloudWatch.

To monitor ECS scale-in events and which tasks were able to bypass due to being protected:

• You can check the CloudWatch logs for the ECS service to see scale-in events that occurred. This will show the desired count being reduced.
• To see which specific tasks were protected, you can use the describe-tasks AWS CLI command to get the protection status of each task:

aws ecs describe-tasks --cluster mycluster --tasks TASK_ID1 TASK_ID2

• The output will include a protectionStatus field indicating if the task is protected or unprotected.
• You can also enable CloudWatch container insights on your ECS tasks to get metrics on task protections set/cleared through the ECS agent endpoint. This provides visibility into which tasks are setting themselves as protected.
• For tasks using the ECS API to set protection, you would need to integrate your application logs with CloudWatch to correlate scale-in events with protection calls made through the API.