ECS-cape: Hijacking IAM Privileges in Amazon ECS
Black Hat USA 2025 · Day 1 · Briefings
Security researcher Naor Aziz discovered that any container running inside an Amazon ECS EC2 cluster can impersonate the ECS agent — the control plane bridge running on every container instance — using publicly accessible instance metadata and an internal AWS protocol called ACS, obtaining IAM credentials for every other task and task execution role running on the same EC2 instance, with no evidence of the hijack in CloudTrail logs. ---
AI review
Aziz found that ECS's IAM isolation guarantee — explicitly documented by AWS — was never enforced at the platform level, and any container on an EC2 instance can impersonate the ECS agent, drain credentials from every co-tenant task via the undocumented ACS WebSocket, and leave no fingerprint in CloudTrail. AWS's response was to update the documentation. Welcome to cloud security.