What’s new: Researchers have identified a vulnerability in Amazon Elastic Container Service (ECS) dubbed “ECScape,” which allows low-privileged containers to hijack IAM credentials from higher-privileged containers on the same EC2 instance. This flaw can lead to privilege escalation, lateral movement, and access to sensitive data within the cloud environment. The findings were presented at the Black Hat USA security conference on August 6, 2025.
Who’s affected
Organizations using Amazon ECS on shared EC2 instances may be at risk, particularly those running low-privileged tasks alongside high-privileged tasks. The vulnerability exploits the ECS internal protocol and the metadata service, allowing credential theft across tasks.
What to do
- Avoid deploying high-privilege tasks alongside untrusted or low-privilege tasks on the same EC2 instance.
- Consider using AWS Fargate for improved task isolation.
- Disable or restrict access to the instance metadata service (IMDS) for tasks.
- Limit permissions for the ECS agent and set up CloudTrail alerts to monitor unusual IAM role usage.
Sources
