Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft
What’s new: Researchers have identified a vulnerability in Amazon Elastic Container Service (ECS) named ECScape, which allows attackers to escalate privileges by stealing AWS credentials from other ECS tasks on the same EC2 instance. This flaw enables a low-privileged container to access the permissions of a higher-privileged container, potentially leading to lateral movement and control over the cloud environment. The findings were presented at the Black Hat USA security conference on August 6, 2025.
Who’s affected
Organizations using Amazon ECS on shared EC2 instances are at risk, particularly those running containers with varying privilege levels on the same host.
What to do
- Avoid deploying high-privilege tasks alongside untrusted or low-privilege tasks on the same EC2 instance.
- Consider using AWS Fargate for improved task isolation.
- Restrict access to the instance metadata service (IMDS) for tasks.
- Limit permissions of the ECS agent.
- Set up CloudTrail alerts to monitor unusual usage of IAM roles.
Sources
