AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-04-04 · Documentation low

File: securityhub/latest/userguide/exposure-ecs-service.md

Summary

Removed section about ECS task definitions with elevated privileges and fixed broken links for exposed namespace and service admin policy references

Security assessment

The change removes a section about security risks of privileged containers (container escape risks) and fixes broken links. While the removed content was security-related, the change itself doesn't indicate a specific security vulnerability being addressed - it appears to be documentation reorganization or cleanup. The link fixes are routine maintenance.

Diff

diff --git a/securityhub/latest/userguide/exposure-ecs-service.md b/securityhub/latest/userguide/exposure-ecs-service.md
index 4dd357cdf..20b5b1f65 100644
--- a//securityhub/latest/userguide/exposure-ecs-service.md
+++ b//securityhub/latest/userguide/exposure-ecs-service.md
@@ -25,2 +24,0 @@ The remediation guidance provided in this topic might require additional consult
-    * [The Amazon ECS service uses a task definition configured with elevated privileges](./exposure-ecs-service.html#task-definition-privileged)
-
@@ -29 +27 @@ The remediation guidance provided in this topic might require additional consult
-    * [The Amazon ECS service uses a task definition configured to share a host's process namespace](./exposure-ecs-service.html#exposed-name-space)
+    * [The Amazon ECS service uses a task definition configured to share a host's process namespace](./exposure-ecs-service.html#exposed-namespace)
@@ -41 +39 @@ The remediation guidance provided in this topic might require additional consult
-    * [The IAM Role associated with the ECS service has a Service Admin Policy](./exposure-ecs-service.html#service-administrative-policy)
+    * [The IAM Role associated with the ECS service has a Service Admin Policy](./exposure-ecs-service.html#service-admin-policy)
@@ -60,8 +57,0 @@ Here are misconfiguration traits for Amazon ECS services and suggested remediati
-### The Amazon ECS service uses a task definition configured with elevated privileges
-
-Amazon ECS containers running with elevated privileges have similar capabilities to the host system, potentially allowing access to host resources and other containers. This configuration increases the risk that a compromised container could be used to access or modify resources outside its intended scope, potentially leading to container escape, unauthorized access to the underlying host, and breaches affecting other containers on the same host. Following standard security principles, AWS recommends that you grant least privileges, which means that you grant only the permissions required to perform a task. 
-
-###### Review and modify task definition
-
-In the exposure, identify the task definition ARN. Open the task definition in the Amazon ECS console. In the task definition, look for the privileged flag set to true in the container definitions. If privileged mode is not required, create a new task definition revision without the privileged flag. If privileged mode is required, consider configuring the container to use a read-only file system to prevent unauthorized modifications. 
-