AWS AmazonECS documentation change
Summary
Added detailed documentation about various IAM roles in Amazon ECS, including their purposes and when they are required
Security assessment
The changes document IAM roles and their security-related purposes, but do not address any specific security vulnerabilities or incidents
Diff
diff --git a/AmazonECS/latest/developerguide/security-iam-roles.md index 85abaf74e..304e20edf 100644 --- a/AmazonECS/latest/developerguide/security-iam-roles.md +++ b/AmazonECS/latest/developerguide/security-iam-roles.md @@ -5 +5 @@ -Task execution roleContainer instance roleService-linked rolesRoles recommendations +Task roleTask execution roleContainer instance roleService-linked rolesRoles recommendations @@ -8,0 +9,32 @@ Task execution roleContainer instance roleService-linked rolesRoles recommendati +The roles Amazon ECS requires depend on the task definition launch type and the features that you use. We recommend that you create separate roles in the table instead of sharing roles. + +Role | Definition | When required | More information +---|---|---|--- +Task execution role | This role allows Amazon ECS to use other AWS services on your behalf. | Your task is hosted on AWS Fargate or on external instances and: + + * pulls a container image from an Amazon ECR private repository. + * pulls a container image from an Amazon ECR private repository in a different account from the account that runs the task. + * sends container logs to CloudWatch Logs using the `awslogs` log driver. + +Your task is hosted on either AWS Fargate or Amazon EC2 instances and: + + * uses private registry authentication. + * uses Runtime Monitoring. + * the task definition references sensitive data using Secrets Manager secrets or AWS Systems Manager Parameter Store parameters. + +| [Amazon ECS task execution IAM role](./task_execution_IAM_role.html) +Task role | This role allows your application code (on the container) to use other AWS services. | Your application accesses other AWS services, such as Amazon S3. | [Amazon ECS task IAM role](./task-iam-roles.html) +Container instance role | This role allows your EC2 instances or external instances to register with the cluster. | Your task is hosted on Amazon EC2 instances or an external instance. | [Amazon ECS container instance IAM role](./instance_IAM_role.html) +Amazon ECS Anywhere role | This role allows your external instances to access AWS APIs. | Your task is hosted on external instances. | [Amazon ECS Anywhere IAM role](./iam-role-ecsanywhere.html) +Amazon ECS CodeDeploy role | This role allows CodeDeploy to make updates to your services. | You use the CodeDeploy blue/green deployment type to deploy services. | [Amazon ECS CodeDeploy IAM Role](./codedeploy_IAM_role.html) +Amazon ECS EventBridge role | This role allows EventBridge to make updates to your services. | You use the EventBridge rules and targets to schedule your tasks. | [Amazon ECS EventBridge IAM Role](./CWE_IAM_role.html) +Amazon ECS infrastructure role | This role allows Amazon ECS to manage infrastructure resources in your clusters. | + + * You want to attach Amazon EBS volumes to your Fargate or EC2 launch type Amazon ECS tasks. The infrastructure role allows Amazon ECS to manage Amazon EBS volumes for your tasks. + * You want to use Transport Layer Security (TLS) to encrypt traffic between your Amazon ECS Service Connect services. + * You want to create VPC Lattice target groups. + +| [Amazon ECS infrastructure IAM role](./infrastructure_IAM_role.html) + +## Task role +