Posted On: Mar 15, 2021
HAQM Elastic Container Service (HAQM ECS) introduces HAQM ECS Exec - a simple, secure, and auditable way for customers to run commands in a container running on HAQM Elastic Compute Cloud (HAQM EC2) instances or AWS Fargate. ECS Exec gives you interactive shell or single command access to a running container making it easier to debug issues, diagnose errors, collect one-off dumps and statistics, and interact with processes in the container.
With ECS Exec, you directly interact with the running container without interacting with the host instance, opening inbound ports, or managing SSH keys, thereby improving the security posture of your container instances. You can enable this feature at a granular level, such as ECS task or service, to help you maintain tighter security. By using AWS Identity and Access Management (IAM) policies, you can create fine-grained policies to control who can run commands against which clusters, tasks, or containers. Once access is provided, you can audit which user accessed the container using AWS CloudTrail and log each command with output to HAQM Simple Storage Service (HAQM S3) or HAQM CloudWatch Logs. This allows ECS users to safely troubleshoot bugs or system issues encountered during development and gives them a debugging tool for break-glass procedures in production for their containerized applications.
HAQM ECS Exec is now available at no additional cost in all public AWS Regions. This feature is supported on ECS Optimized AMIs with Container Agent Version 1.50.2 and Fargate Platform Version 1.4.0 or later. Visit our documentation page or read more in the blog post about running commands in a running Linux container using ECS Exec from API, AWS Command Line Interface (CLI), AWS SDKs, or the AWS Copilot CLI.