Deprecation notice for canContainersAccessInstanceRole prop in ECS construct

[QuantumNeuralCoder]

Hi All,

This is to inform you of an upcoming change in support of canContainersAccessInstanceRole property used in the ECS construct.

AWS Cloud Development Kit (AWS CDK) will deprecate the canContainersAccessInstanceRole property used in the ECS Cluster.AddCapacity [1], Cluster.addAutoScalingGroupCapacity [2] APIs, and AsgCapacityProvider [3] construct. This feature will be removed from the CDK codebase by December 12, 2025.

Rationale for Deprecation
We are deprecating this feature because of challenges in supporting the security sensitive nature of this flag going forward. CDK cannot guarantee the correct execution of canContainersAccessInstanceRole across all platforms that depend on platform images, container engines, and future updates to these components.

Recommended Approach
We recommend you use the ECS service's recommended configurations to block IMDS on EC2 instances moving forward:

For Windows and Linux, follow the guidance in the AWS documentation.

For Bottlerocket, refer to the discussion on the Bottlerocket GitHub repository.

Disabling the Deprecated Feature
To ensure this deprecated feature is not used in your environments, we strongly suggest enabling the Disable_ECS_IMDS_Blocking feature flag. This flag will be automatically enabled for all new CDK projects by January 8, 2025, created using the cdk init command, but will be disabled for your existing projects. If this flag is enabled, the CDK synthesis and deploy commands will fail whenever canContainersAccessInstanceRole is set to false. This has been done to signal that the instance role access from containers should be blocked using the recommended approaches.

Temporary Usage of the Deprecated Feature
If for any reason, you need to retain usage of canContainersAccessInstanceRole to block container access to IMDS on Linux, you can set the feature flag value Disable_ECS_IMDS_Blocking to false to avoid failures on synthesis and deploy commands after the launch of this feature flag by January 8, 2025.

Please note that the CDK team does not recommend this, and you should only use it as a short-term solution. You will also continue to see warning messages when using this deprecated feature, as there is no guarantee that the current approach will keep working for any future updates to the Linux kernel or container engines running on them.

CDK does not support this feature for Windows and Bottlerocket images. CDK will raise warning messages for these operating systems until the final removal of this feature entirely by December 12, 2025.

Provide Feedback
We encourage you to share your feedback on this change on this discussion on Github.

[1] https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.AddCapacityOptions.html#cancontainersaccessinstancerole
[2] https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.AddAutoScalingGroupCapacityOptions.html#cancontainersaccessinstancerole
[3] https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.AsgCapacityProvider.html#cancontainersaccessinstancerole

[valkarinc]

Nice, with the upcoming deprecation of the canContainersAccessInstanceRole property in the ECS construct, it's clear that AWS is focusing on enhancing security and maintaining up-to-date practices. The new methods to block IMDS on EC2 instances for Windows, Linux, and Bottlerocket are straightforward, and I'll start implementing them to ensure my setups remain secure. The Disable_ECS_IMDS_Blocking feature flag seems like a useful tool during this transition. Thanks for the clear instructions and advance notice; they'll help me adjust to these changes smoothly.

Appreciate it!

[pwrmiller]

I'm convinced that this is a regression, not an improvement to security posture. It would seem that AWS no longer wants to support their own best practices for deploying ECS clusters. I understand why this might be being considered - namely, the complexity of the aws_cdk.aws_ecs constructs specifically around capacity providers, mixed instances polices and more might mean that this flag isn't properly set.

As a note, this flag was so rushed that there's even a typo in its implementation:

[Warning at /us/Application/ECS/Default] Blocking container access to instance role will be deprecated. Use the @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature feature flagto keep this feature temporarily. See https://github.com/aws/aws-cdk/discussions/32609 [ack: @aws-cdk/aws-ecs:deprecatedImdsBlocking]

"flagto" is the typo.

As a case in point, associating a launch template with a mixed instances policy rather than a cluster will trigger these warnings, but associating a launch template with a cluster will not. There's nothing the customer can do to work around the feature in this particular case without using significant, complicated escape hatches.