Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

The Oversharing Container

Max room.

A container without its own role inherits the host's. See how this is an issue of its own.

medium

45 min

5

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Containers do not automatically enforce least privilege. If an task has no dedicated taskRoleArn, the workload can fall back to the EC2 instance's credentials. Those credentials belong to the platform, and they can carry far more permissions than any container should inherit.

The clean ECS identity model has three distinct roles:

  • The container instance role for the EC2 host.
  • The task execution role for ECS infrastructure actions.
  • The task role for the application workload itself.

Learning Objectives

By the end of this room, you will be able to:

  • Understand the three ECS identity roles and why each exists
  • Identify ECS task definitions that are missing a dedicated taskRoleArn
  • Create a scoped task role and attach it to a running service
  • Register a corrected task definition revision using the
  • Build a clean identity split with separate execution and task roles from the start

Prerequisites

Answer the questions below

It had no identity, so the instance role was close enough.