AWS - ECS Enum

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

ECS

Basic Information

Amazon Elastic Container Services or ECS provides a platform to host containerized applications in the cloud. ECS has two deployment methods, EC2 instance type and a serverless option, Fargate. The service makes running containers in the cloud very easy and pain free.

ECS operates using the following three building blocks: Clusters, Services, and Task Definitions.

  • Clusters are groups of containers that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the EC2 launch type as allowing customers “to run [their] containerized applications on a cluster of Amazon EC2 instances that [they] manage”. Fargate is similar and is defined as “[allowing] you to run your containerized applications without the need to provision and manage the backend infrastructure”.
  • Services are created inside a cluster and responsible for running the tasks. Inside a service definition you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External), networking information such as VPC’s, subnets, and security groups.
    • There 2 types of applications:
      • Service: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application.
      • Task: A standalone task that runs and terminates. For example, a batch job.
    • Among the service applications, there are 2 types of service schedulers:
      • REPLICA: The replica scheduling strategy places and maintains the desired number of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node.
      • DAEMON: Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.
  • Task Definitions are responsible for defining what containers will run and the various parameters that will be configured with the containers such as port mappings with the host, env variables, Docker entrypoint
    • Check env variables for sensitive info!

Sensitive Data In Task Definitions

Task definitions are responsible for configuring the actual containers that will be running in ECS. Since task definitions define how containers will run, a plethora of information can be found within.

Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions.

Enumeration

# Clusters info
aws ecs list-clusters
aws ecs describe-clusters --clusters <cluster>

# Container instances
## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster.
aws ecs list-container-instances --cluster <cluster>
aws ecs describe-container-instances --cluster <cluster> --container-instances <container_instance_arn>

# Services info
aws ecs list-services --cluster <cluster>
aws ecs describe-services --cluster <cluster> --services <services>
aws ecs describe-task-sets --cluster <cluster> --service <service>

# Task definitions
aws ecs list-task-definition-families
aws ecs list-task-definitions
aws ecs list-tasks --cluster <cluster>
aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
## Look for env vars and secrets used from the task definition
aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>

On-Host Enumeration via the ECS Agent State DB (agent.db)

When you have shell access on an ECS container instance , or you have escaped a container with a host bind-mount of /var/lib/ecs (a common misconfiguration when tasks run privileged or with volumesFrom exposing the host data dir), the ECS agent leaves agent.db on disk that can be read without any AWS API call, without any IAM permission, and without triggering CloudTrail.

/var/lib/ecs/data/agent.db

(or, when reading from a container that has the host mounted at /host, /host/var/lib/ecs/data/agent.db).

# Most useful one-liner — dumps everything readable
strings /var/lib/ecs/data/agent.db

# From inside a container with the host mounted at /host
strings /host/var/lib/ecs/data/agent.db

# Filter for the highest-value artefacts
strings /var/lib/ecs/data/agent.db | grep -aE 'arn:aws:|AKIA|ASIA|"secret|password|TOKEN|credentials|taskRoleArn|executionRoleArn'

# Save the outcome from strings for offline analysis
strings /host/var/lib/ecs/data/agent.db >> /tmp/agent.txt
tr -s '{}[],:"\\' '\n' < /tmp/agent.txt | sed 's/^[[:space:]]*//; s/[[:space:]]*$//' | awk 'NF && length($0)>2 && !/^[0-9.]+$/' | sort -u

What you can recover

Depending on the cluster’s age and workload churn, strings against agent.db typically yields:

  • Task and execution IAM role ARNs (taskRoleArn, executionRoleArn) for every task the agent has run — useful targets for credential retrieval via the task metadata endpoint (169.254.170.2).
  • Full task definitions — image URIs (often private ECR repos), command, entrypoint, port mappings, mount points, log configuration, and plaintext environment variables that frequently include database URLs, API tokens, and third-party secrets.
  • Secrets referencessecretOptions and secrets blocks pointing at SSM Parameter Store paths and Secrets Manager ARNs (great pivot list).
  • Container instance ARN, cluster ARN, and registration token — confirms the cluster name and account/region context with no API call.
  • ENI metadata — private IPs, MAC addresses, subnet IDs, and security group IDs assigned in awsvpc mode (useful for lateral movement planning).
  • Image pull credentials — when the task definition uses repositoryCredentials, the referenced Secrets Manager ARN is here; on older agents private-registry auth blobs (ECS_ENGINE_AUTH_DATA) may also be cached.
  • Recently-stopped task containers — including names, IDs, exit codes and labels, sometimes long after the corresponding aws ecs describe-tasks call has aged them out of the API response.

Unauthenticated Access

AWS - ECS Unauthenticated Enum

Privesc

In the following page you can check how to abuse ECS permissions to escalate privileges:

AWS - ECS Privesc

Post Exploitation

AWS - ECS Post Exploitation

Persistence

AWS - ECS Persistence

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks