Black Hat USA 2025 | ECS-Cape – Hijacking IAM Privileges in Amazon ECS

The Black Hat talk unveiled a critical flaw dubbed “EC escape” that lets a single container running on an Amazon ECS‑EC2 instance hijack IAM credentials of every other container on the same host. By abusing the internal Agent Communication Service (ACS) protocol, an attacker can masquerade as the ECS agent and retrieve temporary credentials for both task and task‑execution roles, effectively compromising the entire workload. The researcher demonstrated how the ECS agent registers the container instance, discovers a poll endpoint, and opens a websocket with a “sendCredentials=true” flag. Because the EC2 instance’s IAM role is exposed via the Instance Metadata Service (IMDS), a malicious task can obtain the same role, call the discover‑poll API, and, using the container introspection endpoint, harvest the container‑instance ARN needed to forge a valid ACS request. The resulting websocket streams assumed credentials for every task on the node, bypassing the need to invoke AssumeRole. Key evidence included captured websocket messages showing raw task credentials and the realization that the “sendCredentials” query parameter is the linchpin. The attacker leveraged predictable poll‑endpoint URLs, IMDS‑derived region and instance data, and the introspection API to reconstruct the full request without special host‑mount configurations, proving the exploit works in typical ECS‑EC2 deployments. The vulnerability threatens a large segment of cloud workloads—roughly one‑third of developers using container orchestration rely on ECS. Organizations must tighten instance‑role policies, disable or restrict IMDS access, avoid exposing host file systems, and consider revoking the discover‑poll and register‑container‑instance permissions from tasks. Monitoring for unauthorized ACS websocket connections and auditing ECS agent activity become essential controls.