AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2026-03-13 · Documentation medium

File: AmazonECS/latest/developerguide/bind-mounts.md

Summary

Removed section about security implications of privileged containers and host filesystem access for bind mounts.

Security assessment

Deleted content included security guidance about avoiding privileged containers. While this reduces security documentation, there's no evidence this change fixes a security issue. Removal of security best practices could impact user awareness but doesn't directly relate to patching vulnerabilities.

Diff

diff --git a/AmazonECS/latest/developerguide/bind-mounts.md b/AmazonECS/latest/developerguide/bind-mounts.md
index 98b480172..d96261a80 100644
--- a//AmazonECS/latest/developerguide/bind-mounts.md
+++ b//AmazonECS/latest/developerguide/bind-mounts.md
@@ -49,30 +48,0 @@ By default, the volume permissions are set to `0755` and the owner as `root`. Yo
-  * For tasks that are hosted on Amazon ECS Managed Instances, portions of the root filesystem are read-only. Read/write bind mounts must use writable directories such as `/var` for persistent data or `/tmp` for temporary data. Attempting to create read/write bind mounts to other directories results in the task failing to launch with an error similar to the following:
-    
-        error creating empty volume: error while creating volume path '/path': mkdir /path: read-only file system
-
-Read-only bind mounts (configured with `"readOnly": true` in the `mountPoints` parameter) can point to any accessible directory on the host.
-
-To view a full list of writable paths, you can run a task on a Amazon ECS Managed Instance and use to inspect the instance's mount table. Create a task definition with the following settings to access the host filesystem:
-    
-        {
-        "pidMode": "host",
-        "containerDefinitions": [{
-            "privileged": true,
-            ...
-        }]
-    }
-
-Then run the following commands from within the container:
-    
-        # List writable mounts
-    cat /proc/1/root/proc/1/mounts | awk '$4 ~ /^rw,/ || $4 == "rw" {print $2}' | sort
-    
-    # List read-only mounts
-    cat /proc/1/root/proc/1/mounts | awk '$4 ~ /^ro,/ || $4 == "ro" {print $2}' | sort
-
-###### Important
-
-The `privileged` setting grants the container extended capabilities on the host, equivalent to root access. In this example, it is used to inspect the host's mount table for diagnostic purposes. For more information, see [Avoid running containers as privileged (Amazon EC2)](./security-tasks-containers.html#security-tasks-containers-recommendations-avoid-privileged-containers).
-
-For more information about running commands interactively in containers, see [Monitor Amazon ECS containers with ECS Exec](./ecs-exec.html).
-