From 8011703f916e2211b2b05853dd9d9b4b14f8dabe Mon Sep 17 00:00:00 2001 From: "Thomas.Taylor-MacLean" Date: Mon, 16 Feb 2026 14:01:45 +0000 Subject: [PATCH] Add ECS-007 and ECS-008: RunTask and StartTask --- data/paths/ecs/ecs-007.yaml | 31 +++++++++++++++++++++++++++++++ data/paths/ecs/ecs-008.yaml | 26 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 data/paths/ecs/ecs-007.yaml create mode 100644 data/paths/ecs/ecs-008.yaml diff --git a/data/paths/ecs/ecs-007.yaml b/data/paths/ecs/ecs-007.yaml new file mode 100644 index 0000000..9f2cb7b --- /dev/null +++ b/data/paths/ecs/ecs-007.yaml @@ -0,0 +1,31 @@ +status: draft + +id: ecs-007 +name: "iam:PassRole + ecs:StartTask + ecs:RegisterContainerInstance" +category: new-passrole +services: + - iam + - ecs + - ec2 + +permissions: + required: + - permission: iam:PassRole + resourceConstraints: Target role ARN must be in the Resource section + - permission: ecs:StartTask + resourceConstraints: An existing task definition must be available + - permission: ecs:RegisterContainerInstance + resourceConstraints: Must be able to register an EC2 to an existing cluster + additional: + - permission: ecs:ListClusters + resourceConstraints: Helpful for finding the cluster name + - permission: ecs:ListContainerInstances + resourceConstraints: Helpful for finding the container identifiers + - permission: ecs:ListTaskDefinitions + resourceConstraints: Helpful for finding the task definition names + - permission: ec2:DescribeSubnets + resourceConstraints: Helpful for finding subnets for the network configuration + - permission: ec2:DescribeSecurityGroups + resourceConstraints: Helpful for finding security groups for the network configuration + +description: A principal with `iam:PassRole`, `ecs:StartTask` and `ecs:RegisterContainerInstance` can register an EC2 to an ECS cluster, then override the command which the task definition runs on container startup to ensure they have access to the container. The IMDS credentials can then be extracted which have the permissions of the passed role. \ No newline at end of file diff --git a/data/paths/ecs/ecs-008.yaml b/data/paths/ecs/ecs-008.yaml new file mode 100644 index 0000000..794b989 --- /dev/null +++ b/data/paths/ecs/ecs-008.yaml @@ -0,0 +1,26 @@ +status: draft + +id: ecs-008 +name: "iam:PassRole + ecs:RunTask" +category: new-passrole +services: + - iam + - ecs + +permissions: + required: + - permission: iam:PassRole + resourceConstraints: Target role ARN must be in the Resource section + - permission: ecs:RunTask + resourceConstraints: An existing task definition must be available + additional: + - permission: ecs:ListClusters + resourceConstraints: Helpful for finding the cluster name + - permission: ecs:ListTaskDefinitions + resourceConstraints: Helpful for finding the task definition names + - permission: ec2:DescribeSubnets + resourceConstraints: Helpful for finding subnets for the network configuration + - permission: ec2:DescribeSecurityGroups + resourceConstraints: Helpful for finding security groups for the network configuration + +description: A principal with `iam:PassRole` and `ecs:RunTask` can override the command which the task definition runs on container startup to ensure they have access to the container. The IMDS credentials can then be extracted which have the permissions of the passed role. \ No newline at end of file