Cybersecurity researchers have uncovered a vulnerability called ECScape in Amazon ECS that allows privilege escalation across containers on the same host, risking exposure of sensitive credentials. AWS recommends stronger isolation measures and best practices to mitigate such risks. #ECScape #AmazonECS #IAMVulnerabilities
Keypoints
- An βend-to-end privilege escalation chainβ was demonstrated in Amazon ECS, exploiting an undocumented internal protocol.
- The attack enables a low-privileged container to hijack higher-privileged IAM credentials on the same EC2 host.
- The vulnerability allows impersonation of ECS agents to harvest credentials for all tasks on the instance.
- Amazon emphasizes the need for enhanced container isolation and recommends using AWS Fargate where possible.
- Mitigations include avoiding co-locating high-privilege and untrusted tasks, restricting metadata service access, and monitoring IAM role usage.
Read More: https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html