Amazon ECS Privilege Escalation Research Detailed

share
Header image

Amazon ECS Privilege Escalation Research Detailed

share

Research provided insight into potential risks to mitigate to prevent unauthorised privilege escalation.


A compromised Amazon Elastic Container Service (ECS) task could escalate its privileges and compromise other tasks on the same Elastic Compute Cloud (EC2) instance.

Presenting at Black Hat USA 2025 in Las Vegas, Sweet Security senior software developer Naor Haziz demonstrated an exploit dubbed “ECScape” to abuse the way ESC on EC2 manages task credentials.

Haziz showed how an attacker in control of a low-privileged task could impersonate the ECS agent and potentially gain access to sensitive data or elevated permissions of other higher-privileged tasks on the instance.

While this is not a vulnerability in the underlying Amazon ECS and EC2 services, Sweet Security’s research provided insight into potential risks users of these services should consider and mitigate to prevent unauthorised privilege escalation.

“While AWS often provides agents to run on customer-controlled EC2 instances to provide service functionality […] in all cases these agents run within the customer’s security boundary, and any and all associated AWS roles (and their credentials and permissions) are understood and designed to be fully accessible to customers,” an Amazon Web Services (AWS) spokesperson said in a statement.

AWS documentation further stated that the EC2 instance is the security boundary, not the container, and further clarified this in an update to its “Security considerations for running containers on Amazon ECS” blog post following Sweet Security’s report on ECScape.


The full version of this story originally appeared on SC US.

Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Cloud SecurityVulnerabilities and Flaws Published: 7 August Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Iran and the New CNI Threat

Iran and the New CNI Threat

 Vulnerability Management and the AI Challenge

Vulnerability Management and the AI Challenge

 Identity-Based Attacks: The Threat and How to Mitigate It

Identity-Based Attacks: The Threat and How to Mitigate It
Report: UK cyberattacks grow faster than global rate

Report: UK cyberattacks grow faster than global rate

 Novel CyberStrikeAI tool exploited in attacks

Novel CyberStrikeAI tool exploited in attacks

 Industry urges reform to retain women in tech

Industry urges reform to retain women in tech
NCSC flags heightened threat in Middle East

NCSC flags heightened threat in Middle East