Posted On: Mar 16, 2021

Amazon Elastic Container Service (Amazon ECS) introduces Amazon ECS Exec - a simple, secure, and auditable way for customers to execute commands in a container running on Amazon Elastic Compute Cloud (Amazon EC2) instances or Amazon Fargate. ECS Exec gives you interactive shell or single command access to a running container making it easier to debug issues, diagnose errors, collect one-off dumps and statistics, and interact with processes in the container.

With ECS Exec, you directly interact with the running container without interacting with the host instance, opening inbound ports, or managing SSH keys, thereby improving the security posture of your container instances. You can enable this feature at a granular level, such as ECS task or service, to help you maintain tighter security. By using Amazon Identity and Access Management (IAM) policies, you can create fine-grained policies to control who can execute commands against which clusters, tasks, or containers. Once access is provided, you can audit which user accessed the container using Amazon CloudTrail and log each command with output to Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch Logs. This allows ECS users to safely troubleshoot bugs or system issues encountered during development and gives them a debugging tool for break-glass procedures in production for their containerized applications.

Amazon ECS Exec is now available at no additional cost in all public Amazon Web Services Regions including Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD. This feature is supported on ECS Optimized AMIs with Container Agent Version 1.50.2 and Fargate Platform Version 1.4.0 or later. Visit our documentation page or read more in the blog post about executing commands in a running Linux container using ECS Exec from API, Amazon Command Line Interface (CLI), or the Amazon SDKs.