Amazon ECS Adds Support for Adding or Dropping Linux Capabilities to Containers

Posted on: Sep 22, 2017

Amazon EC2 Container Service (Amazon ECS) now allows you to add or drop Linux capabilities to containers through the use of Docker’s cap-add and cap-drop flags. Linux capabilities give fine grained access control to processes without granting them root access to a system. 

Docker containers run as “unprivileged” by default and thus are unable to execute most system and network administration operations. Docker privileged mode gives containers root access, which may not be optimal or secure for many workloads. With cap-add and cap-drop, you can specify the capabilities to add or drop for each container in a task definition. This gives you fine-grained controls to run containerized applications that require additional permissions without adding unnecessary security risks. 

Learn more about using cap-add and cap-drop with Amazon ECS in our documentation. 

Amazon EC2 Container Service is available in US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), EU (London), and China (Beijing). For more information on AWS regions and service, please visit here.