diff --git a/providers/aws/config.go b/providers/aws/config.go
index 4370d2904..77ea9f04c 100644
--- a/providers/aws/config.go
+++ b/providers/aws/config.go
@@ -102,6 +102,9 @@ func (p *FargateProvider) loadConfig(r io.Reader) error {
 	if config.OperatingSystem != providers.OperatingSystemLinux {
 		return fmt.Errorf("Fargate does not support operating system %v", config.OperatingSystem)
 	}
+	if config.CloudWatchLogGroupName != "" && config.ExecutionRoleArn == "" {
+		return fmt.Errorf("Execution role required if CloudWatch log group is specified")
+	}
 
 	// Validate advertised capacity.
 	if q, err = resource.ParseQuantity(config.CPU); err != nil {
diff --git a/providers/aws/fargate.toml b/providers/aws/fargate.toml
index 45ecf878a..fa6f4b276 100644
--- a/providers/aws/fargate.toml
+++ b/providers/aws/fargate.toml
@@ -32,6 +32,7 @@ ExecutionRoleArn = ""
 
 # Amazon CloudWatch log group name used to store container logs. Optional.
 # If omitted, container logs will not be available.
+# If specified, an execution role with access to CloudWatch logs is required.
 CloudWatchLogGroupName = ""
 
 # AWS Fargate platform version. Optional. Defaults to "LATEST".