AWS AmazonECS documentation change
Summary
Fixed punctuation in VPC endpoint note, added JSON section dividers, and modified CloudWatch Logs resource ARN placeholder syntax
Security assessment
Formatting changes and example structure adjustments. The ARN modification uses invalid ':::' syntax but does not introduce security vulnerabilities. Changes do not address security flaws or document security features.
Diff
diff --git a/AmazonECS/latest/developerguide/ecs-exec.md b/AmazonECS/latest/developerguide/ecs-exec.md index 297a804fb..cbf01c24a 100644 --- a//AmazonECS/latest/developerguide/ecs-exec.md +++ b//AmazonECS/latest/developerguide/ecs-exec.md @@ -53 +53 @@ The clusters details page displays the logging and AWS KMS customer managed key - * When you have tasks that run on Amazon EC2 instances, use `awsvpc` networking mode. If you don't have internet access, such as not configured to use a NAT gateway), you must create the interface Amazon VPC endpoints for the Systems Manager Session Manager (`ssmmessages`). For more information about `awsvpc` network mode considerations, see [Considerations](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html#linux). For more information about Systems Manager VPC endpoints, see [Use AWS PrivateLink to set up a VPC endpoint for Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-privatelink.html) in the _AWS Systems Manager User Guide_. + * When you have tasks that run on Amazon EC2 instances, use `awsvpc` networking mode. If you don't have internet access (such as not configured to use a NAT gateway), you must create the interface Amazon VPC endpoints for the Systems Manager Session Manager (`ssmmessages`). For more information about `awsvpc` network mode considerations, see [Considerations](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html#linux). For more information about Systems Manager VPC endpoints, see [Use AWS PrivateLink to set up a VPC endpoint for Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-privatelink.html) in the _AWS Systems Manager User Guide_. @@ -260,0 +261,8 @@ The following example policy adds the required Amazon CloudWatch Logs permission +JSON + +JSON + + +**** + + @@ -279 +287 @@ The following example policy adds the required Amazon CloudWatch Logs permission - "Resource": "arn:aws:logs:region:account-id:log-group:/aws/ecs/cloudwatch-log-group-name:*" + "Resource": "arn:aws:logs:::log-group:/aws/ecs/cloudwatch-log-group-name:*" @@ -288,0 +298,8 @@ The following example policy adds the required Amazon S3 permissions. +JSON + +JSON + + +**** + + @@ -322,0 +341,6 @@ You add the following inline policy to your task IAM role which requires the AWS +JSON + + +**** + + @@ -340,0 +366,6 @@ The following example policy for your user or group contains the required permis +JSON + + +**** + + @@ -379,0 +412,6 @@ With the following example IAM policy, users can run commands in containers that +JSON + + +**** + + @@ -404,0 +444,6 @@ With the following IAM policy example, users can't use the `execute-command` API +JSON + + +**** + + @@ -425,0 +472,6 @@ With the following IAM policy, users can only launch tasks when ECS Exec is turn +JSON + + +**** + + @@ -459,0 +513,6 @@ The following is an example IAM policy that denies access to the `ssm:start-sess +JSON + + +**** + + @@ -474,0 +535,6 @@ The following is an example IAM policy that denies access to the `ssm:start-sess +JSON + + +**** + +