You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you get the following email, you need to upgrade to CDK 2.128.0 to resolve the issue. See aws/aws-cdk#27891 for more details.
Subject: [Action Required] Update to ECS APIs for task definition families
Hello,
We are contacting you because we recently identified an issue with Amazon Elastic Container Service (Amazon ECS) APIs that require your action. When calling the RunTask [1], StartTask [2], CreateService [3], CreateTaskSet [4], UpdateService [5] APIs, users can specify a task revision number to launch a specific version of that task [6]. We identified an issue that resulted in inconsistencies in how the Identity and Access Management (IAM) policies are enforced during request authorization to the above mentioned APIs. Specifically, resource condition keys specifying task-definition families without a revision number could potentially be interpreted differently if the task definition did not include a revision number when the API was called. As a result, the latest version of the task would be selected. We have implemented a fix and can confirm the service is operating as expected.
We identified your account has made requests to one or more of the affected ECS APIs. We recommend you review the policies listed in the "Affected resources" tab of your AWS Health Dashboard to ensure the resource condition keys specifying task-definition families include a revision number. To give you time to review and make necessary changes, we have added your account to an allow list until October 15, 2024. If you wish to be removed from the allow list prior to October 15, 2024, you can do so by creating an AWS Support case [7]. If you do not take any action by that date, calls to the affected APIs will result in AccessDeniedException error messages.
To correctly enforce IAM policy-based decisions after October 15, 2024, you must specify a revision number, or the wildcard (‘*’) for the task definition family, on task definition ARNs when used as a resource type.
An example of a policy that will correctly ALLOW for all tasks definition revisions is shown below:
When you intend to apply the policy for a specific revision of the task definition, you must specify the revision in the resource ARN. The following is an example of a policy would correctly enforce ALLOW for a specific task definition revision:
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
If you get the following email, you need to upgrade to CDK 2.128.0 to resolve the issue. See aws/aws-cdk#27891 for more details.
Beta Was this translation helpful? Give feedback.
All reactions