AWS AmazonECS documentation change
Summary
Added JSON formatting sections, updated IAM policy examples with concrete region/account IDs (us-east-1/111122223333), and fixed policy syntax. Modified Fargate launch type reference.
Security assessment
Changes improve documentation clarity and example accuracy but do not address a specific security vulnerability. The ARN updates prevent potential misconfigurations by providing valid examples, but this is a documentation improvement rather than a security fix. No explicit security features were added.
Diff
diff --git a/AmazonECS/latest/developerguide/task_execution_IAM_role.md b/AmazonECS/latest/developerguide/task_execution_IAM_role.md index 36588ffb2..714d5c2d4 100644 --- a//AmazonECS/latest/developerguide/task_execution_IAM_role.md +++ b//AmazonECS/latest/developerguide/task_execution_IAM_role.md @@ -86,0 +87,8 @@ Replace all `user input` with your own information. +JSON + +JSON + + +**** + + @@ -143,0 +153,6 @@ The following is an example inline policy that adds the permissions. +JSON + + +**** + + @@ -146 +161 @@ The following is an example inline policy that adds the permissions. - "Version": "2012-10-17",&TCX5-2025-waiver; + "Version":"2012-10-17", @@ -155,2 +170,2 @@ The following is an example inline policy that adds the permissions. - "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name", - "arn:aws:kms:<region>:<aws_account_id>:key/key_id" + "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret_name", + "arn:aws:kms:us-east-1:111122223333:key/key_id" @@ -176,0 +193,6 @@ The following example policy adds the required permissions. +JSON + + +**** + + @@ -187 +209 @@ The following example policy adds the required permissions. - "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name" + "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret_name" @@ -211,0 +235,6 @@ The following example policy adds the required permissions: +JSON + + +**** + + @@ -224,3 +253,3 @@ The following example policy adds the required permissions: - "arn:aws:ssm:region:aws_account_id:parameter/parameter_name", - "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name", - "arn:aws:kms:region:aws_account_id:key/key_id" + "arn:aws:ssm:us-east-1:111122223333:parameter/parameter_name", + "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret_name", + "arn:aws:kms:us-east-1:111122223333:key/key_id" @@ -234 +264 @@ The following example policy adds the required permissions: -When launching tasks that use the Fargate launch type that pull images from Amazon ECR when Amazon ECR is configured to use an interface VPC endpoint, you can restrict the tasks access to a specific VPC or VPC endpoint. Do this by creating a task execution role for the tasks to use that use IAM condition keys. +When launching tasks that use Fargate that pull images from Amazon ECR when Amazon ECR is configured to use an interface VPC endpoint, you can restrict the tasks access to a specific VPC or VPC endpoint. Do this by creating a task execution role for the tasks to use that use IAM condition keys.