When running containerized workloads on Amazon ECS with EC2 launch types, there’s a critical security consideration: properly blocking access to the EC2 Instance Metadata Service (IMDS). While AWS provides relevant hardening recommendations, a deeper dive uncovered that such hardening is much more nuanced and there are considerable gaps in the AWS documentation.

Please find the detailed technical analysis of these security gaps and mitigation recommendations over at the Latacora blog:

Continue reading on Latacora →

A Note on ECScape

My interest in IMDS hardening originated from Naor Haziz’s research about ECScape. Naor’s disclosure of the ECScape attack vector demonstrates the risk of privilege escalation when ECS tasks share the same underlying EC2 host. In this attack, a malicious container with low-privileged IAM task role could steal the credentials of a container with higher-privilege task role by impersonating the ECS agent. The impersonation leverages an undocumented web socket protocol to communicate to the ECS control plane. Checkout his excellent talk on ECScape at fwd:cloudsec NA 2025.