AWS Security ChangesHomeSearch

AWS AmazonECS medium security documentation change

Service: AmazonECS · 2025-11-19 · Security-related medium

File: AmazonECS/latest/developerguide/security-iam-awsmanpol.md

Summary

Updated IAM policy documentation for ServiceConnectTransportLayerSecurity with improved secret management

Security assessment

Modified IAM policy to separate secretsmanager:DescribeSecret permission and use ARN patterns instead of tags, improving secret lifecycle management and access scoping. This directly impacts security controls by refining permission boundaries and monitoring capabilities.

Diff

diff --git a/AmazonECS/latest/developerguide/security-iam-awsmanpol.md b/AmazonECS/latest/developerguide/security-iam-awsmanpol.md
index 4314e1005..fd4891dc2 100644
--- a//AmazonECS/latest/developerguide/security-iam-awsmanpol.md
+++ b//AmazonECS/latest/developerguide/security-iam-awsmanpol.md
@@ -208,0 +209 @@ Add permissions to [AmazonECSServiceRolePolicy](https://docs.aws.amazon.com/Amaz
+Update [AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity) policy  | Updated the AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity managed IAM policy to separate the secretsmanager:DescribeSecret permission into its own policy statement. The permission continues to scope Amazon ECS access exclusively to secrets created by Amazon ECS and uses ARN pattern matching instead of resource tags for scoping. This allows Amazon ECS to monitor secret status throughout its lifecycle, including when a secret has been deleted. | November 13, 2025