Prefer using IAM roles for tasks rather than using IAM roles for an instance


Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance role, you can associate an IAM role with an ECS task definition or RunTask API operation. Doing the first will result in all the privileges required by any task in the cluster being added to a single IAM role, potentially letting tasks use privileges that were not required.


For each finding :

1.Log in to your AWS management console at https :// / vpc / home 

2. From under the services click ECS 

3.For each cluster, perform the following :

4. Select the cluster from the list

5.Under the Services Tab click on any Task Definition

6. From the Task Definition page, click on Create new revision button 

7.In the Create new revision of Task Definition page, select a task role from the drop down list 

8.Click the Create button at the bottom of the page 

To create and IAM role and assign it to ECS Cluster perform the following :

1.Open the IAM console at https :// / iam /

2.In the navigation pane, choose Roles, Create New Role.

3.In the Select Role Type section, for the Amazon Elastic Container Service Task Role service role, choose Select

3.1 To view the trust relationship for this role, see Amazon ECS Task Role.

4.In the Attach Policy section, select the policy to use for your tasks ( in this example AmazonECSTaskS3BucketPolicy, and then choose Next Step

5.For Role Name, enter a name for your role. For this example, type AmazonECSTaskS3BucketRole to name the role, and then choose Create Role to finish

CLI : You can use the following command in order to add task – role to your task definition :

aws ecs register – task – definition –family <value> –task-role-arn <value>

For more information:







We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!