diff --git a/data/paths/ecs/ecs-007.yaml b/data/paths/ecs/ecs-007.yaml
new file mode 100644
index 0000000..9f2cb7b
--- /dev/null
+++ b/data/paths/ecs/ecs-007.yaml
@@ -0,0 +1,31 @@
+status: draft
+
+id: ecs-007
+name: "iam:PassRole + ecs:StartTask + ecs:RegisterContainerInstance"
+category: new-passrole
+services:
+  - iam
+  - ecs
+  - ec2
+
+permissions:
+  required:
+    - permission: iam:PassRole
+      resourceConstraints: Target role ARN must be in the Resource section
+    - permission: ecs:StartTask
+      resourceConstraints: An existing task definition must be available
+    - permission: ecs:RegisterContainerInstance
+      resourceConstraints: Must be able to register an EC2 to an existing cluster
+  additional:
+    - permission: ecs:ListClusters
+      resourceConstraints: Helpful for finding the cluster name
+    - permission: ecs:ListContainerInstances
+      resourceConstraints: Helpful for finding the container identifiers
+    - permission: ecs:ListTaskDefinitions
+      resourceConstraints: Helpful for finding the task definition names
+    - permission: ec2:DescribeSubnets
+      resourceConstraints: Helpful for finding subnets for the network configuration
+    - permission: ec2:DescribeSecurityGroups
+      resourceConstraints: Helpful for finding security groups for the network configuration
+
+description: A principal with `iam:PassRole`, `ecs:StartTask` and `ecs:RegisterContainerInstance` can register an EC2 to an ECS cluster, then override the command which the task definition runs on container startup to ensure they have access to the container. The IMDS credentials can then be extracted which have the permissions of the passed role.
\ No newline at end of file
diff --git a/data/paths/ecs/ecs-008.yaml b/data/paths/ecs/ecs-008.yaml
new file mode 100644
index 0000000..794b989
--- /dev/null
+++ b/data/paths/ecs/ecs-008.yaml
@@ -0,0 +1,26 @@
+status: draft
+
+id: ecs-008
+name: "iam:PassRole + ecs:RunTask"
+category: new-passrole
+services:
+  - iam
+  - ecs
+
+permissions:
+  required:
+    - permission: iam:PassRole
+      resourceConstraints: Target role ARN must be in the Resource section
+    - permission: ecs:RunTask
+      resourceConstraints: An existing task definition must be available
+  additional:
+    - permission: ecs:ListClusters
+      resourceConstraints: Helpful for finding the cluster name
+    - permission: ecs:ListTaskDefinitions
+      resourceConstraints: Helpful for finding the task definition names
+    - permission: ec2:DescribeSubnets
+      resourceConstraints: Helpful for finding subnets for the network configuration
+    - permission: ec2:DescribeSecurityGroups
+      resourceConstraints: Helpful for finding security groups for the network configuration
+
+description: A principal with `iam:PassRole` and `ecs:RunTask` can override the command which the task definition runs on container startup to ensure they have access to the container. The IMDS credentials can then be extracted which have the permissions of the passed role.
\ No newline at end of file