Often, you will want to have long-running versions of your tasks. This is a common use case for web applications. ECS has a scheduler component that monitors your running tasks and reschedules them automatically when they fail.

ECS also allows you to configure placement strategies and constraints if you like to customize how the scheduler places and terminates a task.

ECS launch types to support different ownership models

Depending on the level of control that you want on the underlying infrastructure that hosts your application containers, you can configure specific launch types with ECS. They come in two flavors:

• ECS on EC2: The user is responsible for managing and patching the EC2 instances on which the tasks run. ECS offers official AMIs thatcontain the ECS agent, which communicates with the ECS control plane and orchestrates activities within your instance.

• ECS on Fargate: This is a very interesting option for customers who are not bound by any regulatory or specific compliance requirements. AWS manages the infrastructure on your behalf and offers a strong isolated environment (lightweight VMs) where your containers are hosted. Each task gets a dedicated execution environment. The beauty of this solution is that it supports using interfaces from your existing VPCs and subnets, thereby giving you the firewalling and security control that you would expect from regular EC2 instances.

Tip

From a security standpoint, it’s important to keep your EC2 nodes updated (when not using the Fargate launch type) with recent patch upgrades. AWS makes this information available as an SSM parameter in your account:

aws ssm get-parameters –names /aws/service/ecs/optimized-ami/ amazon-linux-2/recommended –region eu-central-1

Having covered the primary constructs in ECS, let’s also discuss some security best practices that will help you ensure a good cloud posture for your organization.

Ensuring a good security posture with ECS

Security guardrails can have multiple dimensions. AWS offers services that cater to most of these needs – be they Route53 DNS, firewall, network packet inspection through a network firewall, network access control lists for subnets, or security groups for managing traffic at the interface level. In the context of ECS (and containers in general), let’s discuss some low-hanging fruits that can provide big security benefits.

Locking down permissions with IAM roles

IAM is what defines everything around authentication and authorization in AWS. ECS is no different. The service allows you to define and map IAM roles at the ECS agent level, as well as the application task level. They are known as ECS Task Execution Roleand ECS Task Role. The ECS task agent will typically require access to the ECR registry, SSM parameters, and CloudWatch logs. In addition to this, you can restrict the permissions for the application running inside the ECS container. When the application container bootstraps, ECS ensures that dynamic credentials are injected into it. This helps you avoid having to manage long-term static security credentials, which can be a security risk.