For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/ecs_service_admin_role_is_present.md. A documentation index is available at /llms.txt.

ECS service admin role is present

This product is not supported for your selected Datadog site. ().

Metadata

Id: 7db727c1-1720-468e-b80e-06697f71e09e

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Access Control

Learn More

Description

ECS services must not be assigned administrative IAM roles. Admin-level privileges grant containers broad account-wide access and increase the risk of privilege escalation and lateral movement if the service is compromised. In Ansible tasks using community.aws.ecs_service or ecs_service, the role property must reference a least-privilege IAM role or ARN and must not contain the substring “admin” (case-insensitive). This rule flags tasks where role is a string that includes “admin”. Roles omitted or defined via non-string constructs may not be detected and should be reviewed to ensure they do not attach the AdministratorAccess policy.

Secure example referencing a non-admin role:

- name: my-ecs-service
  community.aws.ecs_service:
    name: my-service
    cluster: my-cluster
    task_definition: my-task:1
    role: arn:aws:iam::123456789012:role/ecsTaskRole

Compliant Code Examples

#this code is a correct code for which the query should not find any result
- name: ECS Service
  community.aws.ecs_service:
    state: present
    name: console-test-service
    cluster: new_cluster
    task_definition: new_cluster-task:1
    desired_count: 0

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
- name: ECS Service
  community.aws.ecs_service:
    state: present
    name: console-test-service
    cluster: new_cluster
    task_definition: 'new_cluster-task:1'
    desired_count: 0
    role: admin