ECS & EKS
ECS (Elastic Container Service) is AWS's native container orchestrator. EKS (Elastic Kubernetes Service) is managed Kubernetes. Both can run on EC2 (you manage nodes) or Fargate (serverless containers — AWS manages the underlying infrastructure).
ECS is a managed restaurant with a fixed menu (AWS orchestration). EKS is a restaurant where you supply your own chef (Kubernetes) but AWS owns the building. Fargate is food delivery — no kitchen management needed.
ECS concepts: Task Definition (like a Dockerfile for a multi-container app), Service (maintains desired count, integrates with ALB), Cluster (logical grouping). EKS: managed control plane (API server, etcd) with self-managed or managed node groups or Fargate. Fargate eliminates node management but costs more per vCPU than EC2. Choose ECS for simpler AWS-native workloads; choose EKS for Kubernetes portability, existing K8s tooling, or to avoid vendor lock-in.
ECS on Fargate: task-level IAM roles via task IAM role (not instance profile). ECS Service Connect provides service-to-service discovery and observability. ECS Exec lets you exec into running containers for debugging (uses SSM Session Manager, no open ports needed). EKS: control plane is fully managed and HA across AZs; karpenter provides fast, cost-optimized node provisioning. EKS Blueprints and ACK (AWS Controllers for Kubernetes) let you manage AWS resources from Kubernetes. Cost comparison: ECS Fargate is simpler but ~30% more expensive than EC2 for equivalent workloads; EKS on EC2 with Karpenter + Spot can be very cost-efficient.
ECS is AWS-native and simpler; EKS is for teams already invested in Kubernetes or needing portability. Both support Fargate for serverless operation. For greenfield AWS apps, I prefer ECS Fargate for its simplicity. For organizations with existing Kubernetes expertise or multi-cloud requirements, EKS makes sense. Task IAM roles in ECS provide per-task permissions — I always use these over instance profiles to follow least privilege.
Assigning permissions via the EC2 instance profile in ECS instead of the task IAM role. This grants all tasks on the instance the same permissions rather than per-task least privilege, creating a security risk.