(stepfunctions-tasks): Security action for EcsRunTask

[kackyt]

Describe the feature

The following message has been received by AWS users and needs to be addressed to be compliant in granting permissions when using EcsRunTask.

We are contacting you due to an issue with the Amazon Elastic Container Service (Amazon ECS) API that requires action: RunTask , StartTask, CreateService, and CreateTaskSet, When calling the RunTask, StartTask, CreateService, CreateTaskSet, or UpdateService APIs, users can specify the revision number of a task definition to launch a specific version of that task. We have identified an inconsistency in the way Identity and Access Management (IAM) policies are applied during request authentication for the above APIs. Specifically, when the API is invoked without the revision number of the task definition, it could be interpreted differently if the revision number of the task definition family is not specified in the resource condition key. As a result, the latest version of the task was selected. We have implemented a fix and have verified that the service is working as expected.
We have verified that your account sent a request to one or more of the affected ECS APIs. We recommend that you review the policies listed in the “Affected Resources” tab to ensure that the resource condition key specifying the task definition family contains the revision number. To allow time to review and make any necessary changes, we are adding your account to the permit list until October 15, 2024; if you wish to remove your account from the permit list prior to October 15, 2024, please create an AWS Support Case [see below]. If you do not perform the action by that date, any calls to the affected APIs will return an AccessDeniedException error message.
After October 15, 2024, to properly apply IAM policy-based decisions, you must specify the revision number or task definition family wildcard ('*') when using a task definition ARN as the resource type.

Use Case

When executing ECS task from StepFunctions using EcsRunTask in stepfunctions-tasks.

Proposed Solution

Remove the Ecs Task Family from the IAMResource permission policy.

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts

Line 355 in c8f2646

taskDefinitionFamilyArn,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:RunTask",
      "Resource": [
          "arn:aws:ecs:*:*:task-definition/sleep360",   // here
          "arn:aws:ecs:*:*:task-definition/sleep360:*",
       ]
    }
  ]
}

Other Information

related issue #12080 #27891

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.143.0

Environment details (OS name and version, etc.)

macOS,Linux,Windows

[pahud]

Yap according to this doc
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies

Looks like we should include this only:

            "Resource": ["arn:aws:ecs:<region>:<aws_account_id>:task-definition/<task_family>:*"]

[msambol]

I'll take this since it's related to my previous PR.

[blimmer]

This is also relevant for other targets, such as https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets-readme.html#run-an-ecs-task.

EDIT: I filed #30390 to keep it separate.