Sunday, July 27, 2025

Amazon ECS IAM Roles | Overview.


Amazon ECS  IAM Roles - Overview. 

Scope:

  • Intro,
  • IAM Roles in Amazon ECS,
  • Three main types of IAM roles used in ECS,
  • ECS Task Execution Role,
  • ECS Task Role,
  • ECS Container Instance Role (EC2 Launch Type only),
  • Summary Table,
  • Sample: Task Execution Role (Trust Policy),
  • Best Practices.

Intro:

  • Here's twtech Overview of how IAM Roles work in Amazon ECS, which is essential for secure and fine-grained access control over ECS components.

 IAM Roles in Amazon ECS

  • Amazon ECS uses IAM roles to control what ECS services, containers, and EC2 instances can do. 

There are three main types of IAM roles used in ECS:

1.  ECS Task Execution Role

  • Purpose: Allows ECS itself to perform actions on your behalf when launching tasks.
  • Used by: ECS Agent, not twtech application directly.
  • Required when:
    • Pulling container images from Amazon ECR
    • Pushing logs to Amazon CloudWatch
    • Decrypting secrets from AWS Secrets Manager or SSM Parameter Store

Key Policy Actions:

# json

{

  "Effect": "Allow",

  "Action": [

    "ecr:GetAuthorizationToken",

    "ecr:BatchCheckLayerAvailability",

    "ecr:GetDownloadUrlForLayer",

    "logs:CreateLogStream",

    "logs:PutLogEvents",

    "ssm:GetParameters",

    "secretsmanager:GetSecretValue"

  ],

  "Resource": "*"

}

NB:

  • Attached the above policy in: Task Definition executionRoleArn

2.  ECS Task Role

  • Purpose: Defines what the application running inside twtech container can access.
  • Used by: twtech containerized app (e.g., calling AWS SDK to access DynamoDB, S3, etc.)
  • IAM role is assigned per task, not EC2.

Sample Use Case

  • App inside the container needs to read an S3 bucket or write to DynamoDB.

Attached in: Task Definition taskRoleArn

3.  ECS Container Instance Role (EC2 Launch Type only)

  • Purpose: Allows the ECS agent on EC2 to register with the ECS control plane and send metrics/logs.
  • Used by: ECS agent running on EC2 instance.
  • Also called: ecsInstanceRole

Policy: Attach AWS-managed policy AmazonEC2ContainerServiceforEC2Role

Required for:

  • ECS agent communication
  • Auto scaling, monitoring
  • Pulling from SSM or ECR (if needed)

Attached to: EC2 instance IAM role (via EC2 launch template or ASG)

 Summary Table

Role Type

Applies To

Used For

Required

Task Executions. Role.

ECS system. components.

Pulling images, logs, secrets.

✅ Yes

Task Roles.

twtech container app.

Accessing AWS services (S3, DynamoDB).

Optional

EC2 Instance Role.

EC2 container hosts.

ECS agent registration, CloudWatch.

ECS-EC2 only

 Sample: Task Execution Role (Trust Policy)

# json 

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "Service": "ecs-tasks.amazonaws.com"

      },

      "Action": "sts:AssumeRole"

    }

  ]

}

twtech Best Practices

  • Always restrict permissions with least privilege.
  • Use different roles for each task type when apps have different AWS access needs.
  • Audit IAM role usage with CloudTrail and access analyzer.
  • For Fargate, task execution role is required; for EC2, both task and instance roles is needed.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...