k9 Security now summarizes principals’ access to the Elastic Container Service (ECS) APIs. k9 reports whether IAM principals may administer ECS cluster, service, and task configurations or use ECS to run tasks. Amazon Elastic Container Service is a fully managed container orchestration service that allows you to run containers on your own EC2 instances or Fargate.

If you’re wondering which IAM principals can administer or run containers with ECS, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use ECS APIs and maps each principal’s access to a k9 access capability.

Here’s an example of how ECS access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

k9 Principal Access Summary for ECS

This excerpt shows the ci IAM user has full access to ECS APIs: administer-resource, read-config, use-resource, write-data. The k9-auditor role has only the read-config capability for ECS APIs, allowing it to read ECS configuration metadata.

k9 models starting or stopping container tasks on a cluster as use-resource:

Mapping of ECS API actions to use-resource

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The Amazon ECS API currently has 51 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how ECS compares to other AWS data, compute, and security APIs:

k9 AWS Service Analysis Summary

AWS ECS provides a way to orchestrate containers on a cluster of hosts without managing the orchestrator. Manage risk to your applications running on ECS by continuously reviewing and adjusting access to ECS clusters, services, tasks and the ECS compute APIs.

We hope k9’s new ECS analysis capabilities help you identify which IAM users and roles can administer ECS and run containerized tasks in your AWS accounts. We are happy to answer any questions!