Introduction

ECS Exec depends on AWS Systems Manager. A task can be healthy and serving traffic while aws ecs execute-command still fails because exec is disabled, the task lacks SSM connectivity, or the required IAM permissions are missing.

Symptoms

  • aws ecs execute-command returns TargetNotConnectedException or a generic execute command failure
  • The ECS service is healthy, but shell access into the task never starts
  • Only some tasks in the same service support exec while others do not
  • The issue begins after a new task definition revision or subnet change

Common Causes

  • ECS Exec was not enabled on the service or task definition
  • The operator or task role lacks the required SSM permissions
  • Private subnets cannot reach SSM endpoints through NAT or VPC endpoints
  • Tasks were started before the execute-command capability was available

Step-by-Step Fix

  1. 1.Confirm exec is enabled for the service and task
  2. 2.Check the service flag and task details first so you do not debug IAM for a feature that was never enabled.
bash
aws ecs describe-services --cluster my-cluster --services my-service --query 'services[0].enableExecuteCommand'
aws ecs describe-tasks --cluster my-cluster --tasks <task-id>
  1. 1.Review operator and task IAM permissions
  2. 2.The caller and the task both need SSM-related permissions for ECS Exec to succeed.
bash
aws iam list-attached-role-policies --role-name ecsTaskExecutionRole
aws sts get-caller-identity
  1. 1.Validate network reachability to SSM endpoints
  2. 2.Private tasks need either outbound internet through NAT or interface endpoints for ssm, ssmmessages, and ec2messages.
bash
aws ec2 describe-vpc-endpoints --filters Name=vpc-id,Values=<vpc-id>
aws ec2 describe-route-tables --route-table-ids <rtb-id>
  1. 1.Force a new deployment after fixing the root cause
  2. 2.Existing tasks may need replacement even after IAM or networking is corrected.
bash
aws ecs update-service --cluster my-cluster --service my-service --force-new-deployment
aws ecs execute-command --cluster my-cluster --task <task-id> --container app --interactive --command "/bin/sh"

Prevention

  • Enable ECS Exec deliberately in service definitions
  • Standardize SSM endpoint requirements for private ECS subnets
  • Test exec on every new service before relying on it during incidents
  • Review both operator IAM and task IAM during rollout checks

Verification

After applying the fix, verify the exact symptom that made the incident visible instead of relying on one green log line. Re-run the command, request, deployment, or browser path that failed before the change and capture the new output for the incident record.

  • Confirm the original error message no longer appears in application, platform, or edge logs.
  • Check the affected dependency path from the client side and from the server side when both are available.
  • Watch the next scheduled job, deploy, cache refresh, or certificate renewal cycle so the fix survives the normal operating path.
  • Record the final configuration value, command output, and timestamp in the runbook for AWS ECS Exec Command Failed Because ExecuteCommandAgent Is Not Running.

Rollback

If the fix changes routing, credentials, certificates, state, cache behavior, or runtime configuration, keep a rollback path ready before applying it to production. Save the previous configuration, identify the owner of the affected service, and define the signal that will trigger rollback.

  1. 1.Restore the last known-good configuration or state reference if validation shows a wider blast radius.
  2. 2.Re-run the same diagnostic checks from the fix section to confirm the rollback returned the system to the previous behavior.
  3. 3.Leave a short note explaining why the attempted fix was reverted so the next responder does not repeat the same change.

Operational Notes

Use this guide as an incident workflow, not as a blind checklist. The safest order is to collect the current state, confirm the narrowest failing component, apply one focused change, and then re-test the same path that failed. Avoid combining unrelated fixes during AWS ECS Exec Command Failed Because ExecuteCommandAgent Is Not Running; otherwise the team will not know which change restored service or which change caused a later regression.

For production systems, capture command output before and after each change. Include timestamps, hostnames, environment names, account IDs, namespaces, certificate names, or configuration keys when they are relevant. These details make the guide useful during a future incident and help separate a real recurrence from a similar-looking but unrelated failure.

Escalate when the failing path crosses a boundary your team does not own, such as a managed cloud control plane, identity provider, external DNS service, payment gateway, or shared network appliance. Share the exact failing request, correlation ID, command output, and change window with the owning team. Keep customer-facing mitigation separate from root-cause repair: it is often safer to route around the broken dependency first, then schedule the permanent cleanup after traffic is stable.

  • [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
  • [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
  • [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
  • [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
  • [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "AWS cloud troubleshooting: AWS ECS Exec Command Failed Because ExecuteCommand", "description": "Professional guide to fix AWS ECS Exec Command Failed Because ExecuteCommandAgent Is Not Running. AWS cloud troubleshooting with step-by-step solutions. Learn best practices and prevention strategies.", "url": "https://www.fixwikihub.com/aws-ecs-exec-command-failed-execute-command-agent-not-running", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-10T02:22:00.000Z", "dateModified": "2026-04-10T02:22:00.000Z" } </script>