AWS – Amazon ECS adds support for additional IAM condition keys

Amazon Elastic Container Service (Amazon ECS) today launched 8 new service-specific condition keys for Identity and Access Management (IAM). These new condition keys let you create IAM policies as well as Service Control Policies (SCPs) to better enforce your organizational policies in containerized environments.

IAM condition keys allow you to author policies that enforce access control based on API request context. With today’s release, Amazon ECS has added condition keys that allow you to enforce policies related to resource configuration (ecs:task-cpu, ecs:task:memory, and ecs:compute-compatibility), container privileges (ecs:privileged), network configuration (ecs:auto-assign-public-ip and ecs:subnet), and tag propagation (ecs:propagate-tags and ecs:enable-ecs-managed-tags) for your applications deployed on Amazon ECS. For example, you can use the new ecs:auto-assign-public-ip condition key to enforce that tasks in your ECS service are not assigned public IP addresses and the ecs:privileged condition key to prevent registration of task definitions with privileges over the underlying host.

The new IAM condition context keys for Amazon ECS are available in all AWS Regions. To see the full list of IAM condition context keys supported by ECS and learn more about using condition keys with Amazon ECS, please refer to our documentation.

Read More for the details.