Containers-roadmap: [Fargate] [request]: Auditd Logs (Security)

Tell us about your request
Similar to ALB/ELB having a "switch" to pipe access logs to S3, it would be great if one could pipe Auditd (kernel system logs) to S3.

Which service(s) is this request for?
Fargate

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
While Fargate itself is compliant and secure, containers itself might get compromised. Given the nature of IAM roles - even with SSM/KMS, once someone has access inside a container he will be able to potentially compromise more resources inside AWS. Worse case: database leak.

Currently it is difficult to get visibility into system calls happening inside a container. Most available linux/open-source tools require the container to run in privileged mode, or work on a host-level.

Are you currently working around this issue?
Currently we do not have a solution yet. Given that with docker you should only run one process as pid 1, that pid 1 is the only way of entry/intrusion - so logging any system calls from within the app might be a work around, but risky, as it relies pid 1 itself not to have any security holes (or the way of logging).