{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:GetParameter", "Resource": "arn:aws:ssm:${Region}:${Account}:parameter/V1CS/*" }, { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:${Region}:${Account}:secret:/V1CS/${CLUSTER_NAME}/AuthToken-*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": "arn:aws:ecs:${Region}:${Account}:task/*" } ] }

Important changes to TrendAI Vision One™ Container Security for Amazon Elastic Container Service (Amazon ECS)

Product / Version includes:

TrendAI Vision One™ All

Last updated: 2026/02/27

Solution ID: KA-0021881

Category: Install , Update

Summary

We are pleased to announce an important upgrade to the Container Security for Amazon ECS feature. This update is designed to simplify the ECS Fargate installation and upgrade processes. It also enhances the underlying systems that support our security features.

In January 2026, a new version of Container Security for Amazon ECS will be available. A small update to your Fargate task role will be required. We will then be able to automatically patch your Fargate task definitions with our latest runtime security sensors.

The following changes will be required when upgrading to the version 2.0.0:

IAM permissions

The task roles must have an IAM policy with additional permissions needed by Container Security. You will not be able to upgrade to the latest version if you do not have a task role with those permissions. You can copy the JSON below to create a new policy or extend your existing policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:${Region}:${Account}:parameter/V1CS/*"
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:${Region}:${Account}:secret:/V1CS/${CLUSTER_NAME}/AuthToken-*"
        },
        {
            "Effect": "Allow",
            "Action": "ecs:TagResource",
            "Resource": "arn:aws:ecs:${Region}:${Account}:task/*"
        }
    ]
}

Where:

${Region} - The region where the Fargate container is hosted (for example, us-east-1)
${Account} - The AWS account that manages the Fargate container
${CLUSTER_NAME} - The cluster this Fargate service deploys to. You can replace this field with * to apply this IAM role to all cluster.

ECS service upgrade
If your ECS services task roles have the required permissions specified above, and you have enabled runtime security, the service tasks will be automatically updated to a new task definition version with the latest runtime sensor patched to it.
Standalone ECS task upgrade
If you have standalone ECS tasks with required IAM permissions and you enabled runtime security, a new task definition will be created automatically with the latest runtime sensor patched to it. As opposed to ECS services, you will need to manually deploy the new task definition to your cluster.
Proxy configuration
Since task definitions will be patched automatically, you also won’t need to specify the proxy settings for each task definition. The process will be the same as it currently is for ECS EC2, you can configure the proxy settings from the console and it will automatically apply to all Fargate tasks and services. For further details, refer to the Online Help article, Configure a proxy for ECS instances.

For support assistance, please contact TrendAI™ Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Important changes to TrendAI Vision One™ Container Security for Amazon Elastic Container Service (Amazon ECS)

Important changes to TrendAI Vision One™ Container Security for Amazon Elastic Container Service (Amazon ECS)

Product / Version includes:

Summary