---
title: ECS service admin role is present
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > ECS service admin role is present
---

# ECS service admin role is present

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-ecs-service-admin-role-is-present` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html)

### Description{% #description %}

ECS services must not be assigned administrative IAM roles. Admin-level privileges grant containers broad account-wide access and increase the risk of privilege escalation and lateral movement if the service is compromised. In Ansible tasks using `community.aws.ecs_service` or `ecs_service`, the `role` property must reference a least-privilege IAM role or ARN and must not contain the substring "admin" (case-insensitive). This rule flags tasks where `role` is a string that includes "admin". Roles omitted or defined via non-string constructs may not be detected and should be reviewed to ensure they do not attach the `AdministratorAccess` policy.

Secure example referencing a non-admin role:

```yaml
- name: my-ecs-service
  community.aws.ecs_service:
    name: my-service
    cluster: my-cluster
    task_definition: my-task:1
    role: arn:aws:iam::123456789012:role/ecsTaskRole
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
- name: ECS Service
  community.aws.ecs_service:
    state: present
    name: console-test-service
    cluster: new_cluster
    task_definition: new_cluster-task:1
    desired_count: 0
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
#this is a problematic code where the query should report a result(s)
- name: ECS Service
  community.aws.ecs_service:
    state: present
    name: console-test-service
    cluster: new_cluster
    task_definition: 'new_cluster-task:1'
    desired_count: 0
    role: admin
```