ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
17 days ago
- #Cloud Computing
- #Security
- #AWS ECS
- Amazon ECS tasks on EC2 can expose credentials to other tasks on the same host due to shared instance metadata.
- A technique called 'ECScape' allows a low-privileged container to impersonate the ECS agent and steal credentials from higher-privileged tasks.
- The attack involves accessing the EC2 instance role via IMDS, forging a WebSocket connection to the ECS control plane, and harvesting task credentials.
- Stolen credentials appear legitimate in CloudTrail, making detection difficult without anomaly monitoring.
- AWS Fargate provides stronger isolation by running each task in its own micro-VM, preventing credential exposure.
- Mitigations include disabling IMDS access for tasks, isolating high-privilege tasks, enforcing least privilege, and monitoring for unusual role usage.
- AWS updated its documentation to clarify the risks of credential exposure on shared EC2 instances but did not classify it as a vulnerability.