ECScape Vulnerability Exploits Amazon ECS Protocol to Steal Cross-Task AWS Credentials

Credited by Freepik

VTA-004530 – ECScape Vulnerability Exploits Amazon ECS Protocol to Steal Cross-Task AWS Credentials

The ECScape vulnerability exposes a critical design flaw in Amazon ECS where malicious containers can exploit the Agent Communication Service (ACS) protocol to steal IAM credentials from co-located tasks

By forging WebSocket connections to AWS’s control plane using instance metadata credentials, attackers bypass container isolation to harvest both task roles and execution roles, gaining unauthorized access to sensitive services like Secrets Manager. This attack requires no container breakout and leaves normal-looking CloudTrail logs, making detection challenging.

Immediate mitigation requires architectural changes (preferring Fargate over EC2 launch types), strict task placement policies to prevent mixed-trust deployments, IMDS hardening, and enhanced monitoring for anomalous credential usage patterns across AWS services.

Severity:
Medium

Attack Surface:
Cloud Service, Infrastructure, Storage, System Management Service

Tactics:
Credential Access, Defense Evasion, Initial Access, Lateral Movement

Techniques:
T1526 – Cloud Service Discovery
T1552.002 – Unsecured Credentials: Credentials in Registry
T1539 – Steal Web Session Cookie
T1078.004 – Valid Accounts: Cloud Accounts
T1550.003 – Use Alternate Authentication Material: Pass the Ticket

References:
1. https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs

SuperPRO’s Threat Countermeasures Procedures:
1. Migrate sensitive workloads to AWS Fargate for VM-level isolation.
2. Implement strict task placement constraints to prevent co-location of trusted/untrusted containers.
3. Enforce IMDSv2 and set ECS_AWSVPC_BLOCK_IMDS=true where possble.
4. Apply least-privilege principles to all task IAM roles.
5. Monitor CloudTrail for unusual API calls from task roles.
6. Drop unnecessary Linux capabilities in container definitions.
7. Segment ECS clusters by sensitivity level.
8. Implement credential boundary policies in IAM.

Contributed by: Anas