AWS Security ChangesHomeSearch

AWS AmazonECS medium security documentation change

Service: AmazonECS · 2025-05-31 · Security-related medium

File: AmazonECS/latest/developerguide/task-iam-roles.md

Summary

Updated credential isolation explanation to clarify EC2 instance-level isolation limitations and recommend Fargate for stronger isolation

Security assessment

The change explicitly warns about potential credential access between tasks on the same EC2 instance, indicating a security consideration. It recommends Fargate for task-level isolation, addressing a security control improvement.

Diff

diff --git a/AmazonECS/latest/developerguide/task-iam-roles.md b/AmazonECS/latest/developerguide/task-iam-roles.md
index f7a409679..f3c34d3b5 100644
--- a//AmazonECS/latest/developerguide/task-iam-roles.md
+++ b//AmazonECS/latest/developerguide/task-iam-roles.md
@@ -17 +17 @@ The following are the benefits of using task roles:
-  * **Credential Isolation:** A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.
+  * **Credential Isolation:** Task credentials are isolated at the EC2 instance level. While each task receives credentials for its defined IAM role through the ECS container agent and instance metadata service, tasks running on the same EC2 instance may potentially access credentials belonging to other tasks on that instance. For workloads requiring stronger isolation, consider using Fargate which provides task-level isolation.