AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-10-16 · Documentation medium

File: AmazonECS/latest/developerguide/using_firelens.md

Summary

Added IAM role requirements for FireLens tasks and new documentation about running FireLens as a non-root user with uid specifications

Security assessment

The changes emphasize proper IAM permissions for secure access to AWS services (Firehose, S3, Secrets Manager) and introduce security best practices by recommending running FireLens as non-root user with unique UID to reduce container privilege escalation risks. While these are security improvements, there's no evidence they address a specific disclosed vulnerability.

Diff

diff --git a/AmazonECS/latest/developerguide/using_firelens.md b/AmazonECS/latest/developerguide/using_firelens.md
index f6413e0ee..1e78b0235 100644
--- a//AmazonECS/latest/developerguide/using_firelens.md
+++ b//AmazonECS/latest/developerguide/using_firelens.md
@@ -10,0 +11,11 @@ By default, Amazon ECS configures the container dependency so that the Firelens
+To use this feature, you must create an IAM role for your tasks that provides the permissions necessary to use any AWS services that the tasks require. For example, if a container is routing logs to Firehose, the task requires permission to call the `firehose:PutRecordBatch` API. For more information, see [Adding and Removing IAM Identity Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the _IAM User Guide_.
+
+Your task might also require the Amazon ECS task execution role under the following conditions. For more information, see [Amazon ECS task execution IAM role](./task_execution_IAM_role.html).
+
+  * If your task is hosted on Fargate and you are pulling container images from Amazon ECR or referencing sensitive data from AWS Secrets Manager in your log configuration, then you must include the task execution IAM role.
+
+  * When you use a custom configuration file that's hosted in Amazon S3, your task execution IAM role must include the `s3:GetObject` permission.
+
+
+
+
@@ -50 +61 @@ If you do not want the metadata in your logs, set `enable-ecs-log-metadata` to `
-To use this feature, you must create an IAM role for your tasks that provides the permissions necessary to use any AWS services that the tasks require. For example, if a container is routing logs to Firehose, the task requires permission to call the `firehose:PutRecordBatch` API. For more information, see [Adding and Removing IAM Identity Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the _IAM User Guide_.
+You can configure the FireLens container to run as a non-root user. Consider the following:
@@ -52 +63 @@ To use this feature, you must create an IAM role for your tasks that provides th
-Your task might also require the Amazon ECS task execution role under the following conditions. For more information, see [Amazon ECS task execution IAM role](./task_execution_IAM_role.html).
+  * To configure the FireLens container to run as a non-root user, you must specify the user in one of the following formats:
@@ -54 +65 @@ Your task might also require the Amazon ECS task execution role under the follow
-  * If your task is hosted on Fargate and you are pulling container images from Amazon ECR or referencing sensitive data from AWS Secrets Manager in your log configuration, then you must include the task execution IAM role.
+    * `uid`
@@ -56 +67,11 @@ Your task might also require the Amazon ECS task execution role under the follow
-  * When you use a custom configuration file that's hosted in Amazon S3, your task execution IAM role must include the `s3:GetObject` permission.
+    * `uid:gid`
+
+    * `uid:group`
+
+For more information about specifying a user in a container definition, see [ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html) in the _Amazon Elastic Container Service API Reference_.
+
+The FireLens container receives application logs over a UNIX socket. The Amazon ECS agent uses the `uid` to assign ownership of the socket directory to the FireLens container.
+
+  * Configuring the FireLens container to run as a non-root user is supported on Amazon ECS Agent version `1.96.0` and later, and Amazon ECS-optimized AMI version `v20250716` and later.
+
+  * When you specify a user for the FireLens container, the `uid` must be unique and not used for other processes belonging to other containers in the task or the container instance.
@@ -63 +84,3 @@ For information about how to use multiple configuration files with Amazon ECS, i
-For information about example configurations, see [Example Amazon ECS task definition: Route logs to FireLens](./firelens-taskdef.html)
+For information about example configurations, see [Example Amazon ECS task definition: Route logs to FireLens](./firelens-taskdef.html).
+
+For more information about configuring logs for high throughput, see [Configuring Amazon ECS logs for high throughput](./firelens-docker-buffer-limit.html).