AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-08-10 · Documentation low

File: AmazonECS/latest/developerguide/tutorial-gmsa-windows.md

Summary

Clarified gMSA account creation process, added note about separate service user account, updated placeholder values to use 'example-domain' instead of 'contoso', and corrected PowerShell commands to use distinct service user credentials.

Security assessment

The changes emphasize security best practices by distinguishing between gMSA and service user accounts, reducing credential reuse risks. While no specific vulnerability is addressed, the documentation now better guides users toward secure configuration by preventing accidental account privilege overlap and clarifying credential storage in AWS Secrets Manager.

Diff

diff --git a/AmazonECS/latest/developerguide/tutorial-gmsa-windows.md b/AmazonECS/latest/developerguide/tutorial-gmsa-windows.md
index e5fdc64cb..40bf3da9d 100644
--- a//AmazonECS/latest/developerguide/tutorial-gmsa-windows.md
+++ b//AmazonECS/latest/developerguide/tutorial-gmsa-windows.md
@@ -91,0 +92,4 @@ Create and configure a gMSA account on the Active Directory domain.
+###### Note
+
+This step creates two separate accounts: a Group Managed Service Account (gMSA) that provides the identity for your containers, and a regular user account that is used for domain authentication. These accounts serve different purposes and should have different names.
+
@@ -114 +118 @@ Although the argument `EffectiveImmediately` to the command implies the key is e
-To create the gMSA account and allow the `ccg.exe` to retrieve the gMSA password, run the following PowerShell commands from a Windows Server or client with access to the domain. Replace `ExampleAccount` with the name that you want for your gMSA account.
+To create the gMSA account and allow the `ccg.exe` to retrieve the gMSA password, run the following PowerShell commands from a Windows Server or client with access to the domain. Replace `ExampleAccount` with the name that you want for your gMSA account, and replace `example-domain` with your Active Directory domain name (for example, if your domain is `contoso.com`, use `contoso`).
@@ -120 +124 @@ To create the gMSA account and allow the `ccg.exe` to retrieve the gMSA password
-    3.         PS C:\> New-ADServiceAccount -Name "ExampleAccount" -DnsHostName "contoso" -ServicePrincipalNames "host/ExampleAccount", "host/contoso" -PrincipalsAllowedToRetrieveManagedPassword "ExampleAccountHosts"
+    3.         PS C:\> New-ADServiceAccount -Name "ExampleAccount" -DnsHostName "example-domain" -ServicePrincipalNames "host/ExampleAccount", "host/example-domain" -PrincipalsAllowedToRetrieveManagedPassword "ExampleAccountHosts"
@@ -122 +126 @@ To create the gMSA account and allow the `ccg.exe` to retrieve the gMSA password
-    4. Create a user with a permanent password that doesn't expire. These credentials are stored in AWS Secrets Manager and used by each task to join the domain.
+    4. Create a user with a permanent password that doesn't expire. These credentials are stored in AWS Secrets Manager and used by each task to join the domain. This is a separate user account from the gMSA account created above. Replace `ExampleServiceUser` with the name you want for this service user account.
@@ -124 +128 @@ To create the gMSA account and allow the `ccg.exe` to retrieve the gMSA password
-                PS C:\> New-ADUser -Name "ExampleAccount" -AccountPassword (ConvertTo-SecureString -AsPlainText "Test123" -Force) -Enabled 1 -PasswordNeverExpires 1
+                PS C:\> New-ADUser -Name "ExampleServiceUser" -AccountPassword (ConvertTo-SecureString -AsPlainText "Test123" -Force) -Enabled 1 -PasswordNeverExpires 1
@@ -126 +130 @@ To create the gMSA account and allow the `ccg.exe` to retrieve the gMSA password
-    5.         PS C:\> Add-ADGroupMember -Identity "ExampleAccountHosts" -Members "ExampleAccount"
+    5.         PS C:\> Add-ADGroupMember -Identity "ExampleAccountHosts" -Members "ExampleServiceUser"
@@ -147 +151 @@ This step uses the AWS CLI. You can run these commands in AWS CloudShell in the
-  * Run the following AWS CLI command and replace the username, password, and domain name to match your environment. Keep the ARN of the secret to use in the next step, Step 3: Modify your CredSpec JSON to include domainless gMSA information
+  * Run the following AWS CLI command and replace the username, password, and domain name to match your environment. Use the service user account name (not the gMSA account name) for the username. Keep the ARN of the secret to use in the next step, Step 3: Modify your CredSpec JSON to include domainless gMSA information
@@ -154 +158 @@ The following command uses backslash continuation characters that are used by `s
-    --secret-string "{\"username\":\"ExampleAccount\",\"password\":\"Test123\",\"domainName\":\"contoso.com\"}"
+    --secret-string "{\"username\":\"ExampleServiceUser\",\"password\":\"Test123\",\"domainName\":\"contoso.com\"}"
@@ -185,3 +189,3 @@ You can also use a secret in SSM Parameter Store by using the ARN in this format
-        "DnsTreeName": "contoso",
-        "DnsName": "contoso",
-        "NetBiosName": "contoso"
+        "DnsTreeName": "example-domain",
+        "DnsName": "example-domain",
+        "NetBiosName": "example-domain"
@@ -193 +197 @@ You can also use a secret in SSM Parameter Store by using the ARN in this format
-            "Scope": "contoso"
+            "Scope": "example-domain"
@@ -197 +201 @@ You can also use a secret in SSM Parameter Store by using the ARN in this format
-            "Scope": "contoso"
+            "Scope": "example-domain"