What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS ECS Security: Task Roles, Network Mode, and Container Hardening

ECS security is simpler than EKS security in some ways (no Kubernetes RBAC, no pod networking abstractions) but has its own specific considerations around task IAM roles, container networking modes, and the differences between Fargate and EC2 launch types. Getting the security model right for ECS means understanding these distinctions and applying appropriate controls at each layer.

Task IAM Roles: The Core Access Control

ECS task roles are the equivalent of EC2 instance profiles for containers. Each ECS task definition includes a taskRoleArn specifying the IAM role that task containers use to call AWS services. Without a task role, containers can't make AWS API calls. With an overly permissive task role, a compromised container can take extensive actions in your AWS account.

Define task roles with exactly the permissions the container's application needs — not the permissions of the developer who deployed it. An API server that reads from DynamoDB and writes to S3 needs dynamodb:GetItem, dynamodb:Query, s3:PutObject, and s3:GetObject scoped to specific table and bucket ARNs. It doesn't need administrative access or even full DynamoDB access.

Distinguish between the task role (runtime AWS permissions) and the task execution role (permissions used by the ECS agent and Fargate to pull images, retrieve secrets, and write to CloudWatch Logs). The execution role needs ECR access and CloudWatch Logs write permissions; it doesn't need your application's AWS permissions. Keep these roles separate.

Fargate vs. EC2 Launch Type Security

The choice between Fargate and EC2 launch types has significant security implications:

Fargate provides stronger container isolation. Each Fargate task runs in its own dedicated microVM, preventing any container escape from affecting other tasks or the underlying host. AWS manages the host OS, patching, and hardening. The attack surface is reduced because you don't have access to (and can't accidentally misconfigure) the host environment. Fargate is the right choice for workloads where the additional isolation justifies the cost.

EC2 launch type shares the underlying host OS across multiple tasks. A container escape vulnerability could allow one container to affect others on the same host or access the EC2 instance role credentials from the instance metadata service. If using EC2 launch type, ensure the EC2 instance role has minimal permissions (ECS agent requirements only, not application permissions), use Fargate for the most sensitive workloads in mixed environments, and apply IMDSv2 enforcement on ECS nodes.

Network Mode Security

ECS supports multiple network modes for tasks, each with different security implications:

awsvpc: Each task gets its own elastic network interface (ENI) with a VPC IP address. Tasks have security groups applied at the ENI level, providing the same granular access control as EC2 instances. This is the required mode for Fargate and the recommended mode for EC2 launch type. Use awsvpc for all production services.

bridge: Container ports are mapped to the EC2 host's port space. Multiple containers share the host's network namespace. Less secure than awsvpc because security groups are applied at the EC2 instance level rather than the task level — all containers on the host share the same security group configuration.

host: Containers share the host's network namespace entirely. The container's network is indistinguishable from the host's network. This mode should never be used in production — a container can bind to the same ports as the host and interact directly with the host network.

Secrets in ECS

ECS supports retrieving secrets from AWS Secrets Manager and SSM Parameter Store at task launch time. Configure secrets in the task definition:

{
  "name": "DATABASE_PASSWORD",
  "valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/db/password-abc123"
}

The ECS execution role retrieves the secret and injects it as an environment variable in the container at startup. The secret value is never visible in the task definition — only the ARN is stored there. If the secret rotates in Secrets Manager, the updated value is injected on the next task start (not automatically into running tasks — you need to restart tasks to pick up rotated secrets).

Container Image Security

Use ECR (with Inspector scanning enabled) as your container registry. Enable scan on push for all repositories to catch vulnerabilities before deployment. Consider blocking task launches for images with critical vulnerabilities by integrating Inspector findings into your CI/CD pipeline's deployment gates.

Use minimal base images. Alpine Linux base images are substantially smaller than Debian or Ubuntu bases and have fewer pre-installed packages that can contain vulnerabilities. Distroless images (containing only your application and its runtime dependencies) are even smaller and have a minimal attack surface.

FAQ

Does ECS on Fargate protect against container breakouts?

Fargate's microVM isolation significantly reduces the risk of container escape affecting other workloads or the host. The isolation is at the Fargate task level — each task runs in a dedicated microVM. This doesn't prevent a container from accessing other AWS resources using its task role (which is intentional — that's how applications call AWS services). Security-in-depth for Fargate means: minimal task role permissions, network policies via security groups, and secure container images.

How does ECS handle secrets rotation?

ECS injects secrets at task start time. Rotating a secret in Secrets Manager doesn't automatically update running ECS tasks — the old secret remains injected until the task is restarted. For zero-downtime secret rotation, your application code should retrieve the secret value from Secrets Manager at runtime (not only at startup), handle authentication failures by refreshing the secret, and retry failed operations. This pattern works with Secrets Manager's rotation without requiring task restarts.

Should I use ECS or EKS for new container workloads?

ECS is simpler to operate and has lower operational overhead. EKS provides more flexibility, a richer ecosystem, and portability across cloud providers. For teams without existing Kubernetes expertise, ECS on Fargate is often the right starting point. For teams with Kubernetes experience or needing advanced features (custom scheduler, advanced networking, ecosystem integrations), EKS is appropriate. The security posture of both can be made equally strong with proper configuration.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team