As a heavy EC2 user who hasn't used ECS, the behavior makes perfect sense as ECS is running on EC2 but unless I sat and thought about it my first instinct would be that AWS would make it "secure by default" on a container level since containers often have different permission requirements and so the container would be the security boundary.

That said, I'm guessing it would have been obvious to anyone once they start setting up IAM permissions and therefore not much of a pitfall.

So it's a good reminder, but I agree with you, maybe the article doesn't need to be so long to get to the same point.

ECS uses bog standard Linux containers. It tries hard to isolate what it can, but there are limits to what it can do that are inherent to the model.

Back when I was an AWS containers specialist SA, I used to tell customers that containers aren’t security boundaries, and should not be treated as such. VMs are much better isolation constructs.

And containers usually have no business accessing IMDS; that’s why not using v2 with a max hop count of 1 should raise a security finding by default at any customer.