ECS uses bog standard Linux containers. It tries hard to isolate what it can, but there are limits to what it can do that are inherent to the model.

Back when I was an AWS containers specialist SA, I used to tell customers that containers aren’t security boundaries, and should not be treated as such. VMs are much better isolation constructs.

And containers usually have no business accessing IMDS; that’s why not using v2 with a max hop count of 1 should raise a security finding by default at any customer.