Use when working with Amazon ECS - designing clusters, writing task definitions, choosing between Fargate and EC2 launch types, configuring services, load balancing, auto scaling, networking (awsvpc/bridge), IAM roles (task role vs execution role), service discovery, deployments, or any ECS architecture and troubleshooting decisions
Comprehensive Amazon ECS guidance covering architecture, task definitions, services, networking, IAM, auto scaling, and production patterns. Based on the official AWS ECS developer guide.
Activate this skill when:
Don't use this skill for:
ECS has three layers:
| Layer | What It Does |
|---|---|
| Capacity | Infrastructure where containers run (Fargate, EC2, on-premises) |
| Controller | ECS scheduler — places, starts, and monitors tasks |
| Provisioning | How you interface with ECS (Console, CLI, CDK, SDK) |
| Component | Description |
|---|---|
| Task Definition | JSON blueprint describing containers, CPU/memory, networking, IAM, volumes |
| Task | A running instance of a task definition (one-off or batch) |
| Service | Long-running task manager — maintains desired count, replaces failures |
| Cluster | Logical grouping of capacity and services |
awsvpc network mode exclusivelyip target type on load balancer target groupsWhen to use Fargate:
Preferred over hardcoding launch type — lets you mix Fargate and EC2, or Fargate and Fargate Spot:
"capacityProviderStrategy": [
{ "capacityProvider": "FARGATE", "weight": 1, "base": 1 },
{ "capacityProvider": "FARGATE_SPOT", "weight": 3, "base": 0 }
]
This runs 1 guaranteed Fargate task, then places 3x as many on Spot.
Task definitions are versioned JSON documents. Each new registration creates a new revision; old revisions remain available.
{
"family": "my-app",
"requiresCompatibilities": ["FARGATE"],
"networkMode": "awsvpc",
"cpu": "512",
"memory": "1024",
"executionRoleArn": "arn:aws:iam::ACCOUNT:role/ecsTaskExecutionRole",
"taskRoleArn": "arn:aws:iam::ACCOUNT:role/my-app-task-role",
"containerDefinitions": [
{
"name": "my-app",
"image": "123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest",
"portMappings": [{ "containerPort": 8080, "protocol": "tcp" }],
"essential": true,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/my-app",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"secrets": [
{ "name": "DB_PASSWORD", "valueFrom": "arn:aws:secretsmanager:..." }
]
}
]
}
| CPU (units) | Valid Memory |
|---|---|
| 256 (.25 vCPU) | 512 MB – 2 GB |
| 512 (.5 vCPU) | 1 GB – 4 GB |
| 1024 (1 vCPU) | 2 GB – 8 GB |
| 2048 (2 vCPU) | 4 GB – 16 GB |
| 4096 (4 vCPU) | 8 GB – 30 GB |
| 8192 (8 vCPU) | 16 GB – 60 GB |
| 16384 (16 vCPU) | 32 GB – 120 GB |
Configure per-container so a sidecar crash doesn't kill the whole task:
"restartPolicy": {
"enabled": true,
"ignoredExitCodes": [0],
"restartAttemptPeriod": 300
}
ECS uses three distinct roles. Mixing them up causes the most common permission errors.
Who uses it: The ECS agent (not your code) Purpose: Allows ECS to do setup work on your task's behalf
Required permissions for common scenarios: