From 62427336ef70cefbc96f6ab83d51103326a3b039 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Fri, 2 May 2025 22:05:55 +0200
Subject: [PATCH] chore(aws/ecs): review executing commands in tasks'
 containers

---
 knowledge base/cloud computing/aws/ecs.md | 34 +++++++++++++----------
 snippets/aws/other commands.fish          |  4 +++
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/knowledge base/cloud computing/aws/ecs.md b/knowledge base/cloud computing/aws/ecs.md
index b8e6dc0..ee76c2f 100644
--- a/knowledge base/cloud computing/aws/ecs.md	
+++ b/knowledge base/cloud computing/aws/ecs.md	
@@ -401,7 +401,7 @@ Whe whole procedure is transparent and does **not** compel requirements changes
 Requirements:
 
 - The required SSM components must be available on the EC2 instances hosting the container.
-  Amazon's ECS optimized AMI and Fargate 1.4 include their latest version already.
+  Amazon's ECS optimized AMI and Fargate 1.4.0+ include their latest version already.
 - The container's image must have `script` and `cat` installed.<br/>
   Required in order to have command logs uploaded correctly to S3 and/or CloudWatch.
 - The task's role (**not** the Task's _execution_ role) must have specific permissions assigned.
@@ -438,26 +438,32 @@ Requirements:
                   "logs:DescribeLogStreams",
                   "logs:PutLogEvents"
               ],
-              "Resource": "arn:aws:logs:eu-west-1:012345678901:log-group:/ecs/log-group-name:*"
+              "Resource": [
+                  "arn:aws:logs:eu-west-1:012345678901:log-group:log-group-name",
+                  "arn:aws:logs:eu-west-1:012345678901:log-group:log-group-name:log-stream:log-stream-name"
+              ]
           },
           {
-              "Sid": "OptionalGlobalS3Permissions",
+              "Sid": "OptionalS3PermissionsIfSSMRecordsLogsInBuckets",
               "Effect": "Allow",
-              "Action": "s3:GetEncryptionConfiguration",
-              "Resource": "arn:aws:s3:::ecs-exec-bucket"
+              "Action": [
+                  "s3:GetEncryptionConfiguration",
+                  "s3:PutObject"
+              ],
+              "Resource": [
+                  "arn:aws:s3:::ecs-exec-bucket",
+                  "arn:aws:s3:::ecs-exec-bucket/session-logs/*"
+              ]
           },
           {
-              "Sid": "OptionalSpecificS3Permissions",
+              "Sid": "OptionalKMSPermissionsIfSSMRecordsLogsInEncryptedBuckets",
               "Effect": "Allow",
-              "Action": "s3:PutObject",
-              "Resource": "arn:aws:s3:::ecs-exec-bucket/*"
-          },
-          {
-              "Sid": "OptionalKMSPermissions",
-              "Effect": "Allow",
-              "Action": "kms:Decrypt",
+              "Action": [
+                  "kms:Decrypt",
+                  "kms:GenerateDataKey"
+              ],
               "Resource": "arn:aws:kms:eu-west-1:012345678901:key/abcdef01-2345-6789-abcd-ef0123456789"
-          }
+          },
       ]
   }
   ```
diff --git a/snippets/aws/other commands.fish b/snippets/aws/other commands.fish
index 0547380..caaa1f2 100644
--- a/snippets/aws/other commands.fish	
+++ b/snippets/aws/other commands.fish	
@@ -169,6 +169,10 @@ aws ecs execute-command --cluster 'staging' --task 'e242654518cf42a7be13a8551e0b
 	--interactive --command 'nc -vz 127.0.0.1 28080'
 aws ecs execute-command --cluster 'staging' --task '0123456789abcdefghijklmnopqrstuv' --container 'pihole' \
 	--interactive --command "dd if=/dev/zero of=/spaceHogger count=16048576 bs=1024"
+# Execute commands in tasks given their service name
+aws ecs list-tasks --cluster 'staging' --service-name 'prometheus' --query 'taskArns' --output 'text' \
+| xargs -I '%%' aws ecs execute-command --cluster 'staging' --task '%%' --container 'prometheus' \
+	--interactive --command 'nc -vz 127.0.0.1 9090'
 
 # Stop tasks given a service name
 aws ecs list-tasks --cluster 'staging' --service-name 'mimir' --query 'taskArns' --output 'text' \