Introduction

Amazon ECS Exec allows you to run commands inside a container or open an interactive shell. When it fails, you can't debug running containers, view logs interactively, or troubleshoot issues in production environments.

Symptoms

```bash $ aws ecs execute-command --cluster my-cluster --task abc123 --container nginx --command "/bin/bash" --interactive

An error occurred (InvalidParameterException) when calling the ExecuteCommand operation: The execute command is not enabled on the task. ```

Other common errors:

bash
TargetNotConnectedException: The instance is not connected to the Session Manager
AccessDeniedException: User is not authorized to perform ssm:StartSession
InvalidParameterException: Execute command is not enabled for this service

Common Causes

  1. 1.Execute command disabled - Task/service doesn't have enableExecuteCommand set
  2. 2.Missing IAM permissions - Task role lacks SSM permissions
  3. 3.No VPC endpoints - Private subnets can't reach SSM endpoints
  4. 4.Agent version too old - ECS agent doesn't support Exec
  5. 5.Container stopped - Task or container is not running
  6. 6.Platform version - Fargate platform version doesn't support Exec
  7. 7.Task definition issues - Init process enabled or other conflicts

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: Enable Execute Command

For a service:

bash
aws ecs update-service \
  --cluster my-cluster \
  --service my-service \
  --enable-execute-command \
  --force-new-deployment

For a standalone task:

bash
aws ecs run-task \
  --cluster my-cluster \
  --task-definition my-task \
  --enable-execute-command

Note: For services, existing tasks must be replaced with new tasks that have execute command enabled.

Step 2: Add Required IAM Permissions

Task role must have these permissions:

bash
aws iam put-role-policy \
  --role-name my-ecs-task-role \
  --policy-name ECSExecPolicy \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ssmmessages:CreateControlChannel",
          "ssmmessages:CreateDataChannel",
          "ssmmessages:OpenControlChannel",
          "ssmmessages:OpenDataChannel"
        ],
        "Resource": "*"
      }
    ]
  }'

For cross-account scenarios, additional permissions may be needed.

Step 3: Verify Container and Task Status

```bash # Check task status aws ecs describe-tasks --cluster my-cluster --tasks abc123 \ --query 'tasks[*].[lastStatus,containers[*].name,containers[*].lastStatus]'

# Verify execute command is enabled aws ecs describe-tasks --cluster my-cluster --tasks abc123 \ --query 'tasks[*].enableExecuteCommand' ```

Must return true and task must be in RUNNING state.

Step 4: Check Network Connectivity

For tasks in private subnets without internet access:

```bash # List VPC endpoints aws ec2 describe-vpc-endpoints --filters Name=vpc-id,Values=vpc-12345

# Check if SSM endpoints exist aws ec2 describe-vpc-endpoints \ --filters Name=service-name,Values=com.amazonaws.region.ssmmessages ```

Create required VPC endpoints:

bash
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-12345 \
  --service-name com.amazonaws.us-east-1.ssmmessages \
  --subnet-ids subnet-1 subnet-2 \
  --security-group-ids sg-12345

Required endpoints: - com.amazonaws.region.ssmmessages - For SSM Session Manager - com.amazonaws.region.ecr.api - If using ECR images - com.amazonaws.region.ecr.dkr - If using ECR images - com.amazonaws.region.logs - If using CloudWatch logs

Step 5: Check ECS Agent Version

For EC2 launch type, verify agent version:

```bash # SSH to EC2 instance and check curl -s http://localhost:51678/v1/metadata | jq '.Version'

# Or via SSM aws ssm send-command \ --instance-ids i-abc123 \ --document-name AWS-RunShellScript \ --parameters 'commands=["docker inspect ecs-agent | jq .[0].Config.Image"]' ```

ECS Exec requires agent version 1.45.0 or later.

To update the agent:

bash
# On the EC2 instance
sudo yum update -y ecs-init
sudo service docker restart
sudo start ecs

Step 6: Check Fargate Platform Version

For Fargate tasks:

bash
aws ecs describe-tasks --cluster my-cluster --tasks abc123 \
  --query 'tasks[*].platformVersion'

ECS Exec requires: - Platform version 1.4.0 or later for Linux tasks - Platform version 1.0.0 or later for Windows tasks

Update service to use correct platform version:

bash
aws ecs update-service \
  --cluster my-cluster \
  --service my-service \
  --platform-version 1.4.0 \
  --force-new-deployment

Step 7: Check for Init Process Conflicts

If task definition has initProcessEnabled: true, it may conflict with ECS Exec:

bash
aws ecs describe-task-definition --task-definition my-task \
  --query 'taskDefinition.requiresCompatibilities'

For Fargate tasks with initProcessEnabled, the init process may interfere. Consider: - Setting initProcessEnabled: false - Using a custom entrypoint that supports both

Step 8: Test Connection

After fixing configuration:

```bash # Test execute command aws ecs execute-command \ --cluster my-cluster \ --task abc123 \ --container nginx \ --command "/bin/bash" \ --interactive

# Or for a one-off command aws ecs execute-command \ --cluster my-cluster \ --task abc123 \ --container nginx \ --command "ls -la /app" \ --non-interactive ```

Step 9: Check Session Manager Plugin

Ensure Session Manager plugin is installed locally:

```bash # Check if installed session-manager-plugin

# Install if missing (macOS) brew install --cask session-manager-plugin

# Install if missing (Linux) curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb" sudo dpkg -i session-manager-plugin.deb ```

Step 10: Debug with CloudWatch Logs

Enable audit logging to diagnose issues:

bash
aws ecs update-service \
  --cluster my-cluster \
  --service my-service \
  --enable-execute-command \
  --configuration "executeCommandConfiguration={kmsKeyId=alias/aws/ebs,logging=OVERRIDE,logConfiguration={cloudWatchLogGroupName=/aws/ecs/exec/my-service}}"

Check CloudWatch logs at /aws/ecs/exec/my-service for session details.

Verification

```bash # Verify execute command is enabled aws ecs describe-tasks --cluster my-cluster --tasks abc123 \ --query 'tasks[*].enableExecuteCommand'

# Test interactive shell aws ecs execute-command \ --cluster my-cluster \ --task abc123 \ --container nginx \ --command "/bin/sh" \ --interactive

# Session should open successfully ```

  • [Fix AWS ECS Task Stuck in Pending](/articles/fix-aws-ecs-task-stuck-pending)
  • [Fix AWS ECS Service Unstable](/articles/fix-aws-ecs-service-unstable)
  • [Fix AWS ECS Container Stuck in Creating](/articles/fix-aws-ecs-container-stuck-creating)
  • [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
  • [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
  • [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
  • [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
  • [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS ECS Exec Command Not Working", "description": "Troubleshoot ECS Exec failures. Enable execute command, configure IAM roles, fix network connectivity, and resolve session issues.", "url": "https://www.fixwikihub.com/fix-aws-ecs-exec-command-not-working", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-03-31T22:56:50.898Z", "dateModified": "2026-03-31T22:56:50.898Z" } </script>