Amazon ECS is introducing a newly required IAM permission, ecs:TagResource, that supports tagging when creating ECS resources. Beginning on July 17, 2023, the default behavior for adding tags to newly created ECS resources will be set to “Deny”. Once this default behavior is launched, any attempts to tag any newly created ECS resources will fail with an “AccessDenied” error if the ecs:TagResource permission is not added to the IAM policy of any principal creating the resource. The APIs for this change are the following: CreateCapacityProvider, CreateCluster, CreateService, CreateTaskSet, RegisterContainerInstance, RunTask, StartTask, RegisterTaskDefinition. These APIs offer the ability to add tags and without the new permission the API calls would fail.
We have determined that your account is using one or more of these APIs and is also using those APIs to add tags to resources. In order for your IAM principals to continue to be able add tags to newly created ECS resources on or after July 17, 2023, please update your IAM policies associated with these principals per the guidance below.
Required Action:
Once this change takes effect, in order to add tags to ECS resources, you will need to add the Action ecs:TagResource to your IAM policy or policies. Adding the following statement to your IAM policies will ensure your IAM principals will continue to be able to apply tags to newly created ECS resources on or after July 17, 2023:
Amazon ECS is introducing a newly required IAM permission, ecs:TagResource, that supports tagging when creating ECS resources. Beginning on July 17, 2023, the default behavior for adding tags to newly created ECS resources will be set to “Deny”. Once this default behavior is launched, any attempts to tag any newly created ECS resources will fail with an “AccessDenied” error if the ecs:TagResource permission is not added to the IAM policy of any principal creating the resource. The APIs for this change are the following: CreateCapacityProvider, CreateCluster, CreateService, CreateTaskSet, RegisterContainerInstance, RunTask, StartTask, RegisterTaskDefinition. These APIs offer the ability to add tags and without the new permission the API calls would fail.
We have determined that your account is using one or more of these APIs and is also using those APIs to add tags to resources. In order for your IAM principals to continue to be able add tags to newly created ECS resources on or after July 17, 2023, please update your IAM policies associated with these principals per the guidance below.
Required Action:
Once this change takes effect, in order to add tags to ECS resources, you will need to add the Action ecs:TagResource to your IAM policy or policies. Adding the following statement to your IAM policies will ensure your IAM principals will continue to be able to apply tags to newly created ECS resources on or after July 17, 2023:
“Statement”: [ { “Sid”: “AllowTagging”, “Effect”: “Allow”, “Action”: [ “ecs:TagResource” ], “Resource”: “*” } ]