AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-07-10 · Documentation low

File: securityhub/latest/userguide/exposure-ecs-service.md

Summary

Added new 'Impact traits for Amazon ECS services' section with 15 privilege escalation patterns and removed two subsections about administrative IAM policies

Security assessment

The change introduces documentation for 15 new security impact traits describing privilege escalation risks (e.g., credential minting, trust policy hijack, data ransomware) but doesn't indicate a specific security vulnerability being fixed. It enhances security documentation by detailing attack vectors and recommending least privilege principles.

Diff

diff --git a/securityhub/latest/userguide/exposure-ecs-service.md b/securityhub/latest/userguide/exposure-ecs-service.md
index d31d6228d..2ffbc41f5 100644
--- a//securityhub/latest/userguide/exposure-ecs-service.md
+++ b//securityhub/latest/userguide/exposure-ecs-service.md
@@ -7 +7 @@
-Misconfiguration traits for Amazon ECS servicesReachability traits for Amazon ECS servicesVulnerability traits for Amazon ECS services
+Misconfiguration traits for Amazon ECS servicesReachability traits for Amazon ECS servicesVulnerability traits for Amazon ECS servicesImpact traits for Amazon ECS services
@@ -39,4 +38,0 @@ The remediation guidance provided in this topic might require additional consult
-    * [The IAM role associated with the Amazon ECS service has an administrative access policy](./exposure-ecs-service.html#administrative-access-policy)
-
-    * [The IAM Role associated with the ECS service has a Service Admin Policy](./exposure-ecs-service.html#service-admin-policy)
-
@@ -56,0 +53,34 @@ The remediation guidance provided in this topic might require additional consult
+  * [Impact traits for Amazon ECS services](./exposure-ecs-service.html#ecs-impact)
+
+    * [Full control privileged executor](./exposure-ecs-service.html#full-control-privileged-executor)
+
+    * [Direct policy escalation](./exposure-ecs-service.html#direct-policy-escalation)
+
+    * [Trust policy hijack](./exposure-ecs-service.html#trust-policy-hijack)
+
+    * [Data ransomware](./exposure-ecs-service.html#data-ransomware)
+
+    * [Remove restriction](./exposure-ecs-service.html#remove-restriction)
+
+    * [Pass role create executor](./exposure-ecs-service.html#pass-role-create-executor)
+
+    * [Swap role existing executor](./exposure-ecs-service.html#swap-role-existing-executor)
+
+    * [Role chain escalation](./exposure-ecs-service.html#role-chain-escalation)
+
+    * [Inject code privileged executor](./exposure-ecs-service.html#inject-code-privileged-executor)
+
+    * [Disable audit trail](./exposure-ecs-service.html#disable-audit-trail)
+
+    * [Access existing executor](./exposure-ecs-service.html#access-existing-executor)
+
+    * [Credential minting](./exposure-ecs-service.html#credential-minting)
+
+    * [Pass role data access](./exposure-ecs-service.html#pass-role-data-access)
+
+    * [Pass role task hijack](./exposure-ecs-service.html#pass-role-task-hijack)
+
+    * [Single hop data access](./exposure-ecs-service.html#single-hop-data-access)
+
+    * [Capability advancing](./exposure-ecs-service.html#capability-advancing)
+
@@ -161,54 +190,0 @@ Create a new revision of your task definition with the updated network mode conf
-### The IAM role associated with the Amazon ECS service has an administrative access policy
-
-IAM roles with administrative access policies attached to Amazon ECS tasks provide broad permissions that exceed what is typically required for container operation. This configuration increases the risk that a compromised container could be used to access or modify resources throughout your AWS environment. Following standard security principles, AWS recommends implementing least privilege access by granting only the permissions required for a task to function. 
-
-###### Review and identify administrative policies
-
-In the **Resource ID** , identify the IAM role name. Go to the IAM dashboard and select the identified role. Review the permissions policy attached to the IAM role. If the policy is an AWS managed policy, look for `AdministratorAccess`. Otherwise, in the policy document, look for statements that have the statements `"Effect": "Allow", "Action": "*", and "Resource": "*"` together. 
-
-###### Implement least privilege access
-
-Replace administrative policies with those that grant only the specific permissions required for the instance to function. To identify unnecessary permissions, you can use IAM Access Analyzer to understand how to modify your policy based on access history. Alternatively, you can create a new IAM role to avoid impacting other applications that are using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. 
-
-###### Secure configuration considerations
-
-If service-level administrative permissions are necessary for the instance, consider implementing these additional security controls to mitigate risk: 
-
-  * MFA adds an additional security layer by requiring an additional form of authentication. This helps prevent unauthorized access even if credentials are compromised. 
-
-  * Setting up condition elements allow you to restrict when and how administrative permissions can be used based on factors like source IP or MFA age. 
-
-
-
-
-###### Update task definitions
-
-Create a new revision of your task definition that references the new or updated IAM roles. Then update your Amazon ECS service to use the new task definition revision. 
-
-### The IAM Role associated with the ECS service has a Service Admin Policy
-
-Service admin policies provide Amazon ECS tasks and services with permissions to perform all actions within specific AWS services. These policies typically include permissions that are required for Amazon ECS task functionality. Providing an IAM role with a service admin policy for Amazon ECS tasks, instead of the minimum set of permissions needed, can increase the scope of an attack if a container is compromised. Following standard security principles, AWS recommends that you grant least privileges, which means granting only the permissions required to perform a task. 
-
-###### Review and identify administrative policies
-
-In the **Resource ID** , identify the Amazon ECS task role and execution role names. Go to the [IAM dashboard](https://console.aws.amazon.com/iam/home/#roles) and select the identified roles. Review the permissions policies attached to these IAM roles. Look for policy statements that grant full access to services (e.g., `"s3": "*", "ecr": "*"`). For instructions on editing IAM policies, see [Edit IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-policy-details) in the _IAM User Guide_. 
-
-###### Implement least privilege access
-
-Replace service admin policies with those that grant only the specific permissions required for Amazon ECS tasks to function. To identify unnecessary permissions, you can use IAM Access Analyzer to understand how to modify your policy based on access history. Alternatively, you can create a new IAM role to avoid impacting other applications that are using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. 
-
-###### Secure configuration considerations
-
-If service-level administrative permissions are necessary for Amazon ECS tasks, consider implementing these additional security controls: 
-
-  * **IAM conditions** – Set up condition elements to restrict when and how administrative permissions can be used based on factors like VPC endpoints or specific Amazon ECS clusters. For more information, see [Use conditions in IAM policies to further restrict access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) in the _IAM User Guide_. 
-
-  * **Permission boundaries** – Establish maximum permissions a role can have, providing guardrails for roles with administrative access. For more information, see [Use permissions boundaries to delegate permissions management within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-permissions-boundaries) in the _IAM User Guide_. 
-
-
-
-
-###### Update task definitions
-
-Create a new revision of your task definition that references the new or updated IAM roles. Then update your Amazon ECS service to use the new task definition revision. 
-
@@ -305,0 +282,70 @@ Review the malicious package details in the **References** section of the **Vuln
+## Impact traits for Amazon ECS services
+
+Impact traits describe the potential blast radius of an exposure. Security Hub analyzes the effective permissions of the AWS Identity and Access Management principal associated with the Amazon ECS service to determine the downstream resources an attacker could reach if the service is compromised. Each impact trait identifies a specific privilege escalation pattern. To reduce your blast radius, review the permission paths described in each trait and remove any unnecessary privileges.
+
+Following standard security principles, AWS recommends that you grant least privilege — only the permissions required to perform a task. Replace broad policies with scoped-down policies that grant only the specific actions and resources needed. To identify unused permissions to remove, use IAM Access Analyzer to generate recommendations based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) and [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _IAM User Guide_.
+
+### Full control privileged executor
+
+The associated principal can pass a role to and inject code into a compute resource that already has elevated permissions. This allows the principal to gain full control over the executor and perform any action that the executor's role permits.
+
+### Direct policy escalation
+
+The associated principal can directly modify IAM policies to grant itself additional permissions, escalating its own privileges without intermediate resources.
+
+### Trust policy hijack
+
+The associated principal can modify the trust policy of an IAM role to allow itself to assume that role, gaining the role's permissions.
+
+### Data ransomware
+
+The associated principal can encrypt or delete data in a way that could be used for ransomware, such as encrypting Amazon S3 objects with a customer-managed AWS KMS key and then modifying the key policy.
+
+### Remove restriction
+
+The associated principal can remove security restrictions such as permission boundaries, service control policies, or resource-based policy deny statements, expanding what other principals or the resource itself can do.
+
+### Pass role create executor
+
+The associated principal can create a new compute resource (such as a Lambda function or Amazon EC2 instance) and pass it a privileged role, effectively laundering its own permissions through the new resource.
+
+### Swap role existing executor
+
+The associated principal can change the IAM role attached to an existing compute resource, replacing it with a more privileged role to escalate access.
+
+### Role chain escalation
+
+The associated principal can assume a sequence of roles, where each role in the chain has progressively broader permissions, ultimately reaching a highly privileged role.
+
+### Inject code privileged executor
+
+The associated principal can inject code into a running compute resource that has elevated permissions, executing arbitrary operations under that resource's privileged role.
+
+### Disable audit trail
+
+The associated principal can disable logging or monitoring services such as CloudTrail, effectively covering its tracks during or after an escalation.
+
+### Access existing executor
+
+The associated principal can invoke or connect to an existing compute resource and use its attached role to perform privileged actions.
+
+### Credential minting
+
+The associated principal can create new long-term credentials (such as access keys or login profiles) for other principals, establishing persistent access paths that survive password rotations or session expirations.
+
+### Pass role data access
+
+The associated principal can create a service resource and pass it a role that has access to sensitive data, gaining indirect access to that data through the new resource.
+
+### Pass role task hijack
+
+The associated principal can pass a role to a scheduled or event-driven task (such as a Lambda function triggered by an event), allowing it to execute arbitrary code with that role's permissions.
+
+### Single hop data access
+
+The associated principal can directly access sensitive data resources (such as Amazon S3 buckets or DynamoDB tables) through its existing permissions, without needing intermediate escalation steps.
+
+### Capability advancing
+
+The associated principal has a privilege escalation path that advances its overall capabilities beyond what its directly assigned permissions would suggest. This is a general classification for paths that do not match a more specific pattern.
+