AWS: How do I restrict deployment to ECS clusters using IAM

amazon-web-services amazon-ecs amazon-iam aws-fargate

I have multiple Fargate clusters in a single AWS account. I wish to ensure that a given service account (used by the build pipeline) can only update Services within a given Fargate clusters.

The IAM policy editor prompt for the ecs:UpdateService action's resource is arn:aws:ecs::<aws_account_id>:service/ which doesn't make sense given that different clusters can have Services that share a name. aws ecs describe-tasks shows both a "clusterArn" and "serviceArn" for each task. aws ecs list-services and aws ecs describe-services only apply to Services for a given cluster.


Solution 1:

I created a policy that restricts the ecs:UpdateService action to only be able to update the arn:aws:ecs:<region>:<aws_account_id>:<service> resource, with a "StringEquals" condition specifying a ecs:cluster condition key set to the ARN of the ECS cluster. Using this method, you could give * for <service> to allow a policy to update all services in a given cluster.

Documentation: Actions, resources, and condition keys for Amazon Elastic Container Service

Related

SSH from A through B to C, using IdentityFile on A
Service "netfilter-persistent" fails to start
Event log subscription returns error code (0x138C)
how to parse some mails from html code [closed]
Storing files encrypted and sharing them over NFS or other
How to DNSSEC Sign Bind9 Reverse Zone
Ansible vs. custom made solution
Can you configure per-network SSH settings?
systemd unit stops when required unit is stopped, but then does not start again when required unit starts
Postfix forwarding - SPF issues - Sender rewrite
Can haproxy log unknown headers?
login failed in initializing the provider