Posted On: Mar 15, 2021

Amazon Elastic Container Service (Amazon ECS) introduces Amazon ECS Exec - a simple, secure, and auditable way for customers to run commands in a container running on Amazon Elastic Compute Cloud (Amazon EC2) instances or AWS Fargate. ECS Exec gives you interactive shell or single command access to a running container making it easier to debug issues, diagnose errors, collect one-off dumps and statistics, and interact with processes in the container.

With ECS Exec, you directly interact with the running container without interacting with the host instance, opening inbound ports, or managing SSH keys, thereby improving the security posture of your container instances. You can enable this feature at a granular level, such as ECS task or service, to help you maintain tighter security. By using AWS Identity and Access Management (IAM) policies, you can create fine-grained policies to control who can run commands against which clusters, tasks, or containers. Once access is provided, you can audit which user accessed the container using AWS CloudTrail and log each command with output to Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch Logs. This allows ECS users to safely troubleshoot bugs or system issues encountered during development and gives them a debugging tool for break-glass procedures in production for their containerized applications.

Amazon ECS Exec is now available at no additional cost in all public AWS Regions. This feature is supported on ECS Optimized AMIs with Container Agent Version 1.50.2 and Fargate Platform Version 1.4.0 or later. Visit our documentation page or read more in the blog post about running commands in a running Linux container using ECS Exec from API, AWS Command Line Interface (CLI), AWS SDKs, or the AWS Copilot CLI.