AWS: How do I restrict deployment to ECS clusters using IAM

Question

I have multiple Fargate clusters in a single AWS account. I wish to ensure that a given service account (used by the build pipeline) can only update Services within a given Fargate clusters.

The IAM policy editor prompt for the ecs:UpdateService action's resource is arn:aws:ecs::<aws_account_id>:service/ which doesn't make sense given that different clusters can have Services that share a name. aws ecs describe-tasks shows both a "clusterArn" and "serviceArn" for each task. aws ecs list-services and aws ecs describe-services only apply to Services for a given cluster.

score 2 · Answer 1 · answered Oct 30 '20 at 09:58

I created a policy that restricts the ecs:UpdateService action to only be able to update the arn:aws:ecs:<region>:<aws_account_id>:<service> resource, with a "StringEquals" condition specifying a ecs:cluster condition key set to the ARN of the ECS cluster. Using this method, you could give * for <service> to allow a policy to update all services in a given cluster.

Documentation: Actions, resources, and condition keys for Amazon Elastic Container Service

AWS: How do I restrict deployment to ECS clusters using IAM

1 Answers1