To access material, start machines and answer questions login.
Containers do not automatically enforce least privilege. If an task has no dedicated taskRoleArn, the workload can fall back to the EC2 instance's credentials. Those credentials belong to the platform, and they can carry far more permissions than any container should inherit.
The clean ECS identity model has three distinct roles:
- The container instance role for the EC2 host.
- The task execution role for ECS infrastructure actions.
- The task role for the application workload itself.
Learning Objectives
By the end of this room, you will be able to:
- Understand the three ECS identity roles and why each exists
- Identify ECS task definitions that are missing a dedicated
taskRoleArn - Create a scoped task role and attach it to a running service
- Register a corrected task definition revision using the
- Build a clean identity split with separate execution and task roles from the start
Prerequisites
- Being able to set up your environment (First Steps Into room)
- Basic commands ( Fundamentals room)
- Have a basic understanding of the compute service (Introduction to Cloud Computing room)
It had no identity, so the instance role was close enough.
Ready to learn Cyber Security?
The The Oversharing Container room is only available for Premium or Max subscribers. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in
