Security model Security features Compliance and regulatory support Security considerations Security best practices

Security considerations for Amazon ECS Managed Instances

Amazon ECS Managed Instances provides a fully managed container compute experience that enables you to run workloads on specific Amazon EC2 instance types while offloading security responsibilities to AWS. This topic describes the security model, features, and considerations when using Amazon ECS Managed Instances.

Security model

Amazon ECS Managed Instances implements a comprehensive security model that balances flexibility with protection:

AWS-managed infrastructure - AWS controls the lifecycle of managed instances and handles security patching, eliminating the possibility of human error and tampering.
No administrative access - The security model is locked down and prohibits administrative access to managed instances.
Multi-task placement - By default, Amazon ECS Managed Instances places multiple tasks on a single instance to optimize cost and utilization, which relaxes the workload-isolation constraint compared to Fargate.
Data isolation - Although AWS controls instance lifecycle and task placement, AWS cannot login to managed instances or access customer data.

Security features

Amazon ECS Managed Instances includes several built-in security features designed to protect your workloads and maintain a strong security posture. These features range from automated security patching to support for privileged Linux capabilities when needed.

Security best practices

Managed instances are configured according to AWS security best practices, including:

No SSH access - Remote shell access is disabled to prevent unauthorized access.
Immutable root filesystem - The root filesystem cannot be modified, ensuring system integrity.
Kernel-level mandatory access controls - SELinux provides additional security enforcement at the kernel level.

Automatic security patching

Amazon ECS Managed Instances helps improve the security posture of your workloads through automated patching:

Regular security updates - Instances are regularly updated with the latest security patches by AWS, with respect to the maintenance windows that you configure.
Limited instance lifetime - The maximum lifetime of a running instance is limited to 14 days to ensure applications run on appropriately configured instances with up-to-date security patches.
Maintenance window control - You can use Amazon EC2 event windows capability to specify when Amazon ECS should replace your instances with patched ones.

Privileged Linux capabilities

Amazon ECS Managed Instances supports software that requires elevated Linux privileges, enabling advanced monitoring and security solutions:

Supported capabilities - You can opt-in to all privileged Linux capabilities, including CAP_NET_ADMIN, CAP_SYS_ADMIN, and CAP_BPF.
Popular solutions - This enables you to run popular network monitoring and observability solutions such as Wireshark and Datadog.
Explicit configuration required - You must explicitly configure your Amazon ECS Managed Instances capacity provider to enable privileged Linux capabilities, as it may pose additional security risks to your applications.

Important

Enabling privileged Linux capabilities may expose your tasks to additional security risks. Only enable these capabilities when required by your applications and ensure you understand the security implications.

Compliance and regulatory support

Amazon ECS Managed Instances maintains the same compliance posture as Amazon ECS:

Compliance programs - Amazon ECS Managed Instances is in scope of the same AWS Assurance Programs as Amazon ECS, including PCI-DSS, HIPAA, and FedRAMP.
FIPS endpoints - Amazon ECS Managed Instances respects your account-level setting for using FIPS endpoints in the AWS Regions to help achieve FedRAMP compliance.
Customer Managed Keys - It supports security features required for achieving compliance, such as Customer Managed Keys for encryption.

Security considerations

When using Amazon ECS Managed Instances, there are several important security considerations to understand and plan for. These considerations help you make informed decisions about your workload architecture and security requirements.

Multi-task security model

The default multi-task placement model in Amazon ECS Managed Instances differs from Fargate's single-task isolation:

Shared instance resources - Multiple tasks may run on the same instance, potentially exposing a task to vulnerabilities from other tasks running on the same instance or in the same ECS cluster.
Single-task option - You can configure Amazon ECS Managed Instances to use single-task mode for customers requiring the default Fargate security model with VM-level security isolation boundary.
Cost vs. security trade-off - Multi-task mode provides cost optimization and faster task startup times, while single-task mode provides stronger isolation.

Handling instance interruptions

It's important to design your applications to tolerate interruptions when using Amazon ECS Managed Instances:

Interruption tolerance - Use Amazon ECS Managed Instances with applications that tolerate interruption to underlying services or tasks.
Service-based workloads - Use Amazon ECS services for automatic task replacement, or run workloads with controlled and limited duration not exceeding 14 days on standalone tasks.
Graceful shutdown - Configure task shutdown grace period to control the impact of interruptions.

Data access and privacy

Amazon ECS Managed Instances maintains strict data access controls:

No customer data access - Although AWS controls the lifecycle of managed instances and the placement of tasks on the instances, AWS cannot login to managed instances or access customer data.
Metrics and logs only - AWS captures only metrics and related logs required to provide the Amazon ECS Managed Instances capabilities.
Locked-down security model - The security model prohibits administrative access, eliminating the possibility of human error and tampering.

Security best practices

Follow these best practices when using Amazon ECS Managed Instances:

Evaluate security model - Make a conscious decision about adopting Amazon ECS Managed Instances based on your security requirements, particularly regarding the multi-task placement model.
Use single-task mode when needed - If your workloads require stronger isolation, configure Amazon ECS Managed Instances to use single-task mode.
Minimize privileged capabilities - Only enable privileged Linux capabilities when absolutely necessary and understand the associated security risks.
Plan for interruptions - Design applications to handle instance replacements gracefully, especially considering the 14-day maximum instance lifetime.
Configure maintenance windows - Use EC2 event windows to control when instance replacements occur to minimize impact on your workloads.
Monitor and audit - Regularly review your Amazon ECS Managed Instances configuration and monitor for any security-related events or changes.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Patching in Amazon ECS Managed Instances

Infrastructure optimization