ECS Exec enabled

AWS-ECS-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for ECS services with executeCommand enabled, which allows interactive shell access to running containers.

Why it matters

ECS Exec uses AWS Systems Manager to establish an interactive shell session inside running containers, equivalent to docker exec. While useful for debugging in development, leaving it enabled in production creates a direct access path that bypasses application-layer security controls. An attacker with ecs:ExecuteCommand IAM permission can access container filesystems, read environment variables containing secrets, connect to internal databases and services, and exfiltrate data through the SSM channel. AWS CloudTrail logs ECS Exec sessions, but the commands executed inside the container are only captured if SSM session logging is separately configured. Disable ECS Exec in production and use it only in staging/development environments with time-limited IAM permissions.

Common causes

ECS Exec is enabled during debugging sessions when engineers need to inspect running containers and troubleshoot production issues. Teams that enable it for incident response forget to disable it afterward because there is no built-in expiration mechanism. Some deployment pipelines always set enable_execute_command to true as a convenience feature, treating it as a standard configuration rather than a security exception.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ecs update-service --cluster CLUSTER --service SERVICE_NAME --no-enable-execute-command --region REGION

Remediation: Terraform

resource "aws_ecs_service" "service" {
  enable_execute_command = false
}