At the risk of being overly reductive, isn't this exactly the expected behavior: With ECS on EC2, the EC2 VM is a security boundary, and the container is not?
easton•3h ago
Expected, yes, but it’s not something you’d necessarily think about I guess. I never thought about the containers being able to access the EC2 metadata endpoint since ECS exposes a container specific one (although they obviously could, in hindsight).
coredog64•2h ago
The recommendation to use IMDSv2 is evergreen.
slowdog•2h ago
As a heavy EC2 user who hasn't used ECS, the behavior makes perfect sense as ECS is running on EC2 but unless I sat and thought about it my first instinct would be that AWS would make it "secure by default" on a container level since containers often have different permission requirements and so the container would be the security boundary.
That said, I'm guessing it would have been obvious to anyone once they start setting up IAM permissions and therefore not much of a pitfall.
So it's a good reminder, but I agree with you, maybe the article doesn't need to be so long to get to the same point.
RainyDayTmrw•3h ago
easton•3h ago
coredog64•2h ago
slowdog•2h ago
That said, I'm guessing it would have been obvious to anyone once they start setting up IAM permissions and therefore not much of a pitfall.
So it's a good reminder, but I agree with you, maybe the article doesn't need to be so long to get to the same point.