At the risk of being overly reductive, isn't this exactly the expected behavior: With ECS on EC2, the EC2 VM is a security boundary, and the container is not?
the article is a bit breathless, which seems par for the course for security blogs these days. And while "containers are not a security boundary" is evergreen and something AWS has been trumpeting since the beginning, they IMO should also try and make it a bit harder for your to get access to the host credentials.
I do know the ECS team highly indexes on maintaining backwards compatibility and minimizing migrations wherever possible, but this seems like a case where it's warranted.
Not when the documentation states (before the recent change) "a container never has access to credentials that are intended for another container that belongs to another task"
IAM is the bane of my existance. I once had to delegate spot fleet request/launch capabilities to a third party... it took me two weeks just to figure out how to add all the right permissions to make that happen without giving too much extra power.
Anyone who's trying to secure workloads running in any EC2 instance should know about this, there's nothing special about it being an ECS instance. You could do the same thing with EKS.
5 comments
[ 2.5 ms ] story [ 37.5 ms ] threadI do know the ECS team highly indexes on maintaining backwards compatibility and minimizing migrations wherever possible, but this seems like a case where it's warranted.