AWS AmazonECS documentation change
Summary
Added new AmazonECSInfrastructureRoleforExpressGatewayServices policy documentation and updated existing policies
Security assessment
Introduces documentation for a new IAM policy with security-related permissions (managing SSL/TLS certificates, security groups, load balancers). While security-focused, there's no evidence this addresses a specific vulnerability.
Diff
diff --git a/AmazonECS/latest/developerguide/security-iam-awsmanpol.md b/AmazonECS/latest/developerguide/security-iam-awsmanpol.md index fd4891dc2..c034bfe76 100644 --- a//AmazonECS/latest/developerguide/security-iam-awsmanpol.md +++ b//AmazonECS/latest/developerguide/security-iam-awsmanpol.md @@ -5 +5 @@ -AmazonECS_FullAccessAmazonECSInfrastructureRolePolicyForVolumesAmazonEC2ContainerServiceforEC2RoleAmazonEC2ContainerServiceEventsRoleAmazonECSTaskExecutionRolePolicyAmazonECSServiceRolePolicyAmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurityAWSApplicationAutoscalingECSServicePolicyAWSCodeDeployRoleForECSAWSCodeDeployRoleForECSLimitedAmazonECSInfrastructureRolePolicyForLoadBalancersAmazonECSInfrastructureRolePolicyForManagedInstancesAmazonECSInfrastructureRolePolicyForVpcLattice AmazonECSComputeServiceRolePolicyAmazonECSInstanceRolePolicyForManagedInstancesPolicy updates +AmazonECS_FullAccessAmazonECSInfrastructureRolePolicyForVolumesAmazonEC2ContainerServiceforEC2RoleAmazonEC2ContainerServiceEventsRoleAmazonECSTaskExecutionRolePolicyAmazonECSServiceRolePolicyAmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurityAWSApplicationAutoscalingECSServicePolicyAWSCodeDeployRoleForECSAWSCodeDeployRoleForECSLimitedAmazonECSInfrastructureRolePolicyForLoadBalancersAmazonECSInfrastructureRolePolicyForManagedInstancesAmazonECSInfrastructureRolePolicyForVpcLatticeAmazonECSInfrastructureRoleforExpressGatewayServices AmazonECSComputeServiceRolePolicyAmazonECSInstanceRolePolicyForManagedInstancesPolicy updates @@ -155,0 +156,25 @@ Provides access to other AWS service resources required to manage VPC Lattice fe +## `AmazonECSInfrastructureRoleforExpressGatewayServices` + +You can attach the `AmazonECSInfrastructureRoleforExpressGatewayServices` policy to your IAM entities. This policy grants the permissions required by Amazon ECS to create and update web applications using Express Services on your behalf. The policy includes: + + * Permissions to create service-linked roles for Amazon ECS Application Auto Scaling + + * Permissions to create, modify, and delete Application Load Balancers, listeners, rules, and target groups + + * Permissions to create, modify, and delete VPC security groups for ECS-managed resources + + * Permissions to request, manage, and delete SSL/TLS certificates through ACM + + * Permissions to configure Application Auto Scaling policies and targets for Amazon ECS services + + * Permissions to create and manage CloudWatch alarms for auto scaling triggers + + * Read-only permissions to describe load balancers, VPC resources, certificates, auto scaling configurations, and CloudWatch alarms + + + + +These permissions enable Amazon ECS to automatically provision and manage the infrastructure components required for Express Services web applications, including load balancing, security groups, SSL certificates, and auto scaling configurations. + +To view the permissions for this policy, see [AmazonECSInfrastructureRoleforExpressGatewayServices](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonECSInfrastructureRoleforExpressGatewayServices.html) in the _AWS Managed Policy Reference_. + @@ -207,0 +233 @@ Change | Description | Date +Add permissions to [AmazonECSServiceRolePolicy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonECSServiceRolePolicy). | The `AmazonECSServiceRolePolicy` managed IAM policy was updated with new Amazon EC2 permissions which allow Amazon ECS to fetch Amazon EC2 Event Windows for services and clusters associated with Event Windows. | November 20, 2025 @@ -209,0 +236 @@ Update [AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity +Add new AmazonECSInfrastructureRoleforExpressGatewayServices | Added new AmazonECSInfrastructureRoleforExpressGatewayServices policy that provides Amazon ECS access to create and manage web applications using Express Services. | November 21, 2025 @@ -227 +254 @@ Add permissions to [AmazonEC2ContainerServiceforEC2Role](https://docs.aws.amazon -Add permissions to AmazonECS_FullAccess | The `AmazonECS_FullAccess` policy was modified to add the `elasticloadbalancing:AddTags` permission, which includes a condition that limits the permission only to newly created load balancers, target groups, rules, and listeners created. This permission doesn't allow tags to be added to any already created Elastic Load Balancing resources. | January 4, 2023 +Add permissions to AmazonECS_FullAccess | The `AmazonECS_FullAccess` policy was modified to add the `elasticloadbalancing:AddTags` permission, which includes a condition that limits the permission only to newly created load balancers, target groups, rules, and listeners created. This permission doesn't allow tags to be added to any already created ELB resources. | January 4, 2023