Amazon shared responsibility model for Amazon ECS - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon shared responsibility model for Amazon ECS

Security and Compliance is a shared responsibility between Amazon and the customer. This shared model can help relieve the customer’s operational burden as Amazon operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the Amazon provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.

Fargate launch type

The following illustration shows the shared responsibility model for the Fargate launch type. Fargate runs each workload in an isolated hardware virtualized environment. As a result, each task gets dedicated infrastructure capacity. Containerized workloads running on Fargate do not share an operating system, Linux kernel, network interface, ephemeral storage, CPU, or memory with other tasks. When using Fargate, customers are not responsible for securing the compute infrastructure that runs their containers. Fargate will provision and patch the infrastructure upon which customer workloads run. For more information, see Task retirement and maintenance for Amazon Fargate on Amazon ECS .

You are responsible for managing the following resources:

Diagram showing the shared responsibility model for Fargate on Amazon ECS.

EC2 launch type

The following illustration shows the shared responsibility for the EC2 launch type. When you run tasks on EC2 instances you are responsible for maintaining your EC2 instances in addition to the following resources:

Diagram showing the shared responsibility model for EC2 on Amazon ECS.