AWS ECS/ Fargate Task Definition Execution IAM Role Not Found

The execution IAM Role is required by tasks to pull container images and publish container logs to Amazon CloudWatch on your behalf. This policy generates an alert if a task execution role is not found in your task definition.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

AWS ECS/ Fargate task definition execution IAM Role not found.
JSON Query:
$.resource[*].aws_ecs_task_definition exists and $.resource[*].aws_ecs_task_definition[*].*[*].container_definitions exists and ($.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyNull or $.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyEmpty)
Recommended solution for adding task definition execution IAM Role.
It is recommended to have task definition execution IAM Role. Please make sure your template has "execution_role_arn" attribute under "aws_ecs_task_definition" set to iam arn.
For example:
"aws_ecs_task_definition": [ { "service": [ { "container_definitions": "${file("task-definitions/service.json")}", "execution_role_arn": "arn:aws:iam", "family": "service" } ] } ]

Run Rule Recommendation

Create a task definition revision.
  1. Open the Amazon ECS console.
  2. From the navigation bar, choose the region that contains your task definition.
  3. In the navigation pane, choose Task Definitions.
  4. On the Task Definitions page, select the box to the left of the task definition to revise and choose Create new revision.
  5. Under Task execution IAM role, select a Task execution role, or create a new one.
  6. Verify the information and choose Update, then Create.
  7. If your task definition is used in a service, update your service with the updated task definition.
  8. Deactivate previous task definition.


There is 1 standard that is applicable to this policy:
  • MITRE ATT&CK [Beta]

Recommended For You