AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-06-07 · Documentation low

File: AmazonECS/latest/developerguide/ecs-agent-config.md

Summary

Added documentation for running ECS agent with host PID namespace in SELinux environments, including limitations for ECS Exec/EBS task attach/Service Connect

Security assessment

The change documents security-related configuration (SELinux enforcement) but does not indicate resolution of a specific vulnerability. It adds guidance for secure environment setup.

Diff

diff --git a/AmazonECS/latest/developerguide/ecs-agent-config.md b/AmazonECS/latest/developerguide/ecs-agent-config.md
index 0a75134b8..a4ddba33a 100644
--- a//AmazonECS/latest/developerguide/ecs-agent-config.md
+++ b//AmazonECS/latest/developerguide/ecs-agent-config.md
@@ -5 +5 @@
-Available parameters
+Run the Amazon ECS agent with the host PID namespaceAvailable parameters
@@ -24,0 +25,34 @@ If you are manually starting the Amazon ECS container agent (for non Amazon ECS-
+## Run the Amazon ECS agent with the host PID namespace
+
+By default, the Amazon ECS agent runs with its own PID namespace. In the following configurations, you can configure the Amazon ECS agent to run with the host PID namespace:
+
+  * SELinux enforcing mode is enabled .
+
+  * Docker's SELinux security policy is set to true.
+
+
+
+
+You can configure this behavior by setting the `ECS_AGENT_PID_NAMESPACE_HOST` environment variable to `true` in your `/etc/ecs/ecs.config` file. When this variable is enabled, `ecs-init` will start the Amazon ECS agent container with the host's PID namespace (`--pid=host`), allowing the agent to bootstrap itself properly in SELinux-enforcing environments.
+
+To enable this feature, add the following line to your `/etc/ecs/ecs.config` file:
+    
+    
+    ECS_AGENT_PID_NAMESPACE_HOST=true
+
+After making this change, restart the Amazon ECS agent for the change to take effect:
+    
+    
+    sudo systemctl restart ecs
+
+The following features will not work SELinux enforcing mode is enabled and the Docker security policy is set to true, even when `ECS_AGENT_PID_NAMESPACE_HOST=true` is set.
+
+  * Amazon ECS Exec
+
+  * Amazon EBS task attach
+
+  * Service Connect
+
+
+
+