[skMed]

> Instances get role data from the metadata service, but containers can't access that metadata and should access the local ECS agent instead (which has its own API).

Just a quick aside, but is this can't or shouldn't? I'm 100% positive you can use something like instance profile credentials from within a container (which loads credentials from the instance metadata service).

I think I agree that there's definitely a lot of depth to topics that should be covered here, and whether you want to go down the rabbit hole will vary based on org size and features you're using.

I'd personally prefer: 1. deep-dives into best practices for each feature as opposed to an on the surface glance. 2. enable it with examples. Include CloudFormation or Terraform scripts to set up each piece so that we actually build something. Documentation is important, but you can't learn without doing. 3. test against the security you've put in place.

[falcolas]

Technically, shouldn't. But in AWS' documentation for container roles, they have a note that explicitly suggests implementing a iptables rule (and even provides the iptables command) to prevent access to the instance's metadata.

http://docs.aws.amazon.com/AmazonECS/latest/developerguide/t...

That said, this is another of those "more ink should be spilled" moments, since preventing access to the instance metadata is something that you SHOULD do from a security point of view.

[skMed]

I don't recall Task Roles being a thing when I started using EC2 Container Service. For container security and isolation, that makes a whole lot of sense.