Granting access to join an ECS cluster

In the previous screenshot, notice that there are no credentials required to connect to the ECS cluster—you could be forgiven for thinking that ECS simply allows any EC2 instance to join an ECS cluster, but of course that would not be very secure.

EC2 instances include a feature called IAM instance profiles, which attaches an IAM role to the EC2 instance that defines various AWS service operations the instance can perform. In the EC2 dashboard for your EC2 instance, you can see that a role called ecsInstanceRole has been assigned to your instance, and if you click on this role, you will be taken to the IAM dashboard showing the Summary page for the role.

In the Permissions tab you can see that an AWS-managed policy called AmazonEC2ContainerServiceforEC2Role is attached to the role, and if you expand the policy, you can see the various IAM permissions associated with this policy as shown in the following screenshot:

Notice that the policy permits the ecs:RegisterContainerInstance action, which is the ECS permission required for an ECS container instance to join an ECS cluster, and that the policy also grants the ecs:CreateCluster permission, which means an ECS container instance attempting to register to an ECS cluster that does not currently exist will automatically create a new cluster.

One further thing to note is that the policy applies to all resources as designated by the "Resource": "*" property, meaning any EC2 instance that is assigned a role with this policy will be able to join any ECS cluster in your account and region. Again, this may not seem very secure, but bear in mind this is a policy intended to simplify granting the necessary permissions for your ECS container instances, and in later chapters we will discuss how to create your own custom IAM roles and policies to restrict which ECS clusters a given ECS container instance can join.