AWS - ECS Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Amazon Elastic Container Services or ECS provides a platform to host containerized applications in the cloud. ECS has two deployment methods, EC2 instance type and a serverless option, Fargate. The service makes running containers in the cloud very easy and pain free.
ECS operates using the following three building blocks: Clusters, Services, and Task Definitions.
Clusters are groups of containers that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the EC2 launch type as allowing customers “to run [their] containerized applications on a cluster of Amazon EC2 instances that [they] manage”. Fargate is similar and is defined as “[allowing] you to run your containerized applications without the need to provision and manage the backend infrastructure”.
Services are created inside a cluster and responsible for running the tasks. Inside a service definition you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External), networking information such as VPC’s, subnets, and security groups.
There 2 types of applications:
Service: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application.
Task: A standalone task that runs and terminates. For example, a batch job.
Among the service applications, there are 2 types of service schedulers:
REPLICA: The replica scheduling strategy places and maintains the desired number of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node.
DAEMON: Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.
Task Definitions are responsible for defining what containers will run and the various parameters that will be configured with the containers such as port mappings with the host, env variables, Docker entrypoint...
Check env variables for sensitive info!
Task definitions are responsible for configuring the actual containers that will be running in ECS. Since task definitions define how containers will run, a plethora of information can be found within.
Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions.
In the following page you can check how to abuse ECS permissions to escalate privileges:
AWS - ECS PrivescLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)