AWS Security ChangesHomeSearch

AWS AmazonECS medium security documentation change

Service: AmazonECS · 2025-07-04 · Security-related medium

File: AmazonECS/latest/developerguide/task-iam-roles.md

Summary

Updated IAM role documentation with clarified credential handling, added security warnings about EC2 isolation limitations, enhanced audit logging details, and improved IAM policy examples with trust conditions

Security assessment

The changes explicitly warn about containers not being security boundaries on EC2 instances, highlight credential access risks between tasks on shared instances, and provide mitigation guidance (blocking EC2 metadata service access). Added IAM policy conditions enforce source ARN/account validation for role assumption. Auditability section emphasizes security monitoring capabilities.

Diff

diff --git a/AmazonECS/latest/developerguide/task-iam-roles.md b/AmazonECS/latest/developerguide/task-iam-roles.md
index 9c89ac7f4..6453a8d2f 100644
--- a//AmazonECS/latest/developerguide/task-iam-roles.md
+++ b//AmazonECS/latest/developerguide/task-iam-roles.md
@@ -9 +9 @@ Creating the task IAM roleAmazon ECR permissionsECS Exec permissions Amazon EC2
-Your Amazon ECS tasks can have an IAM role associated with them. The permissions granted in the IAM role are assumed by the containers running in the task. This role allows your application code (on the container) to use other AWS services. The task role is required when your application accesses other AWS services, such as Amazon S3.
+Your Amazon ECS tasks can have an IAM role associated with them. The permissions granted in the IAM role are vended to containers running in the task. This role allows your application code (running in the container) to use other AWS services. The task role is required when your application accesses other AWS services, such as Amazon S3.
@@ -17 +17 @@ The following are the benefits of using task roles:
-  * **Credential Isolation:** Task credentials are isolated at the EC2 instance level. While each task receives credentials for its defined IAM role through the ECS container agent and instance metadata service, tasks running on the same EC2 instance may potentially access credentials belonging to other tasks on that instance. For workloads requiring stronger isolation, consider using Fargate which provides task-level isolation.
+  * **Separation of concerns** : If you're using the EC2 launch type, task IAM roles allow you to specify IAM permissions for your containers without requiring these permissions to be specified using EC2 instance profiles (for more information, see [Using instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) in the _AWS Identity and Access Management User Guide_). Therefore, you can deploy your applications independently and uniformly on ECS container instances without needing to modify IAM permissions associated with EC2 instances.
@@ -19 +19 @@ The following are the benefits of using task roles:
-  * **Authorization:** Unauthorized containers cannot access IAM role credentials defined for other tasks.
+  * **Auditability** : Access and event logging are available through CloudTrail to ensure retrospective auditing. Task credentials have a context of '`taskArn`' that is attached to the session, so CloudTrail logs show which task the role credentials were vended for.
@@ -21 +21 @@ The following are the benefits of using task roles:
-  * **Auditing:** Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of `taskArn` that is attached to the session, so CloudTrail logs show which task is using which role.
+  * **Uniform credentials delivery** : ECS delivers IAM role credentials to your containers and makes them accessible through a well-defined interface irrespective of the launch type associated with your tasks. On ECS Fargate, EC2 instance profiles are not available for containers in your tasks. Task IAM roles enable you to associate IAM permissions to your containers irrespective of the launch type when you use AWS SDK or AWS CLI in your containers. For more information about how the AWS SDK accesses these credentials, see [Container credential provider](https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html).
@@ -26 +26,3 @@ The following are the benefits of using task roles:
-###### Note
+###### Important
+
+Containers are not a security boundary and the use of task IAM roles does not change this. Each task running on Fargate has its own isolation boundary and does not share the underlying kernel, CPU resources, memory resources, or elastic network interface with another task. For EC2 and External Container Instances on ECS, there is no task isolation (unlike with Fargate) and containers can potentially access credentials for other tasks on the same container instance. They can also access permissions assigned to the [ECS container instance role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html). Follow the recommendations in [Roles recommendations](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-roles.html#security-iam-roles-recommendations) to block access to the Amazon EC2 Instance Metadata Service for containers (For more information, see [Use the Instance Metadata Service to access instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) in the _Amazon EC2 User Guide_). 
@@ -28 +30 @@ The following are the benefits of using task roles:
-When you specify an IAM role for a task, the AWS CLI or other SDKs in the containers for that task use the AWS credentials provided by the task role exclusively and they no longer inherit any IAM permissions from the Amazon EC2 or external instance they are running on.
+Note that when you specify an IAM role for a task, the AWS CLI or other SDKs in the containers for that task use the AWS credentials provided by the task role exclusively and they do not inherit any IAM permissions from the Amazon EC2 or external instance they are running on.
@@ -190,5 +192,3 @@ AWS CLI
-             "Action":[
-                "s3:GetObject"
-             ],
-             "Resource":[
-                "arn:aws:s3:::my-task-secrets-bucket/*"
+             "Principal":{
+                "Service":[
+                   "ecs-tasks.amazonaws.com"
@@ -195,0 +196,10 @@ AWS CLI
+             },
+             "Action":"sts:AssumeRole",
+             "Condition":{
+                "ArnLike":{
+                "aws:SourceArn":"arn:aws:ecs:us-west-2:111122223333:*"
+                },
+                "StringEquals":{
+                   "aws:SourceAccount":"111122223333"
+                }
+             }