Shared responsibility model for Amazon ECS Managed Instances - Amazon Elastic Container Service
Amazon responsibilitiesCustomer responsibilities
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Shared responsibility model for Amazon ECS Managed Instances

Amazon ECS Managed Instances provides a managed solution for containerized workloads that combines the operational simplicity of Fargate with access to the full range of Amazon EC2 instance types and capabilities. Amazon handles infrastructure provisioning, patching, scaling, and maintenance while customers retain control over their applications and specific configurations.

Unlike Fargate, containerized workloads running on Amazon ECS Managed Instances share the operating system, Linux kernel, network interface, ephemeral storage, CPU, memory, and GPU resources with other tasks on the same instance. Amazon ECS optimizes infrastructure utilization by placing multiple tasks on larger instances to minimize unused capacity.

Amazon responsibilities

When using Amazon ECS Managed Instances, Amazon is responsible for:

  • Instance provisioning and lifecycle management

  • Operating system patching and security updates

  • Infrastructure scaling and optimization

  • Instance replacement and maintenance (maximum 21-day instance lifetime)

  • Access control restrictions (no SSH access, no SSM Session Manager access)

  • Amazon EC2 Instance Storage encryption, which is storage directly attached to the instance. For more information, see Data protection in Amazon EC2.

  • Amazon ECS manages the volumes attached to Amazon EC2 instances at creation time, including root and data volumes.

  • Amazon ECS uses Amazon EC2 managed instances under-the-hood. For more information about Amazon EC2 managed instances, see Security in Amazon EC2.

Customer responsibilities

You are responsible for managing the following resources:

  • Network configuration including VPC, NACLs, security groups, and route tables

  • Client and service storage encryption. For more information, see Storage options for Amazon ECS tasks.

  • Container images. For more information, see Amazon ECS task and container security best practices.

  • IAM permissions for the applications by using the task role. For more information, see Amazon ECS task IAM role.

  • Application-level configuration and monitoring

  • Task and service definitions

  • Security considerations for workloads sharing underlying instance resources

  • Privileged container configurations and enhanced Linux capabilities (CAP_NET_ADMIN, CAP_BPF, etc.) when enabled

  • Management operations through Amazon ECS API (direct instance access via SSH or SSM is not available)