Introduction
ECS tasks in PENDING state are scheduled but haven't transitioned to RUNNING. The task has been placed on a container instance, but something is preventing the container from starting. Tasks stuck in PENDING indicate a launch or configuration problem.
Symptoms
```bash $ aws ecs describe-tasks --cluster my-cluster --tasks abc123 --query 'tasks[*].[lastStatus,stoppedReason]'
[["PENDING", null]] ```
In the ECS console, the task shows:
Status: PENDING
(Details tab shows no containers started)Common Causes
- 1.Insufficient resources - Instance lacks CPU, memory, or network ports
- 2.Image pull failure - Container image doesn't exist, access denied, or timeout
- 3.Network configuration - Incorrect VPC, subnets, or security groups
- 4.IAM role issues - Task execution role missing or insufficient permissions
- 5.Task definition errors - Invalid container definition
- 6.Container instance issues - Docker daemon problems on the host
- 7.EFS mount failures - EFS volume can't be mounted
- 8.Startup dependency failure - Init container or dependency not ready
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Step 1: Check Task Details and Stopped Reason
aws ecs describe-tasks --cluster my-cluster --tasks abc123 \
--query 'tasks[*].[lastStatus,stoppedReason,containers[*].reason]'If the task eventually stops, check the reason:
aws ecs describe-tasks --cluster my-cluster --tasks abc123 \
--query 'tasks[*].stoppedReason'Common stopped reasons:
- Resource is no longer able to be provisioned
- Task failed to start
- CannotPullContainerError: access denied
- CannotPullContainerError: registry timeout
Step 2: Check Container Instance Resources
For EC2 launch type:
```bash # Get the container instance ID aws ecs describe-tasks --cluster my-cluster --tasks abc123 \ --query 'tasks[*].containerInstanceArn'
# Check instance resources aws ecs describe-container-instances \ --cluster my-cluster \ --container-instances arn:aws:ecs:region:account:container-instance/my-cluster/abc123 \ --query 'containerInstances[*].[remainingResources,broadcastChannelArn]' ```
Look at remaining CPU and memory. If insufficient:
# Add more instances to the cluster
aws autoscaling set-desired-capacity \
--auto-scaling-group-name my-asg \
--desired-capacity 5For Fargate, check if you have service quotas:
aws service-quotas get-service-quota \
--service-code fargate \
--quota-code L-3032A538 # Fargate On-Demand resource countStep 3: Check Container Image Access
```bash # Get image from task definition aws ecs describe-task-definition --task-definition my-task:1 \ --query 'taskDefinition.containerDefinitions[*].image'
# Test image pull manually (on EC2 instance) docker pull nginx:latest ```
For ECR images, verify permissions:
```bash # Check if task execution role can pull from ECR aws ecr describe-repositories --repository-names my-repo
# Verify ECR policy allows pull aws ecr get-repository-policy --repository-name my-repo ```
Task execution role needs:
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
}Step 4: Check Network Configuration
aws ecs describe-tasks --cluster my-cluster --tasks abc123 \
--query 'tasks[*].attachments[*].details'Verify: - Subnets exist and are in the same VPC - Security groups allow necessary traffic - For Fargate, subnets must have internet access (NAT gateway) or VPC endpoints
Test connectivity:
# Run a test task to check connectivity
aws ecs run-task \
--cluster my-cluster \
--task-definition debug-task \
--launch-type FARGATE \
--network-configuration 'awsvpcConfiguration={subnets=[subnet-12345],securityGroups=[sg-12345],assignPublicIp=ENABLED}'Step 5: Check EFS Mount Issues
If task uses EFS volumes:
```bash # Check task definition for EFS configuration aws ecs describe-task-definition --task-definition my-task:1 \ --query 'taskDefinition.volumes[*].efsVolumeConfiguration'
# Verify EFS mount targets exist in task subnets aws efs describe-mount-targets --file-system-id fs-12345 ```
EFS requirements: - Mount targets in each subnet used by tasks - Security group allows NFS (port 2049) from task security group
Step 6: Check IAM Roles
- 1.Task needs two roles:
- 2.Task execution role - For pulling images, writing logs
- 3.Task role - For application to access AWS services
```bash # Check task execution role aws ecs describe-task-definition --task-definition my-task:1 \ --query 'taskDefinition.executionRoleArn'
# Verify role exists and has correct permissions aws iam get-role --role-name ecsTaskExecutionRole ```
Required trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Step 7: Check CloudWatch Logs
```bash # Get log configuration aws ecs describe-task-definition --task-definition my-task:1 \ --query 'taskDefinition.containerDefinitions[*].logConfiguration'
# Check if log group exists aws logs describe-log-groups --log-group-name-prefix /ecs/my-task ```
Create log group if missing:
aws logs create-log-group --log-group-name /ecs/my-taskStep 8: Check Docker Events on Container Instance
For EC2 launch type, SSH into the instance:
```bash # Check Docker events docker events --filter 'type=container' &
# Check containerd logs journalctl -u containerd -f
# Check ECS agent logs tail -f /var/log/ecs/ecs-agent.log.* ```
Step 9: Review ECS Service Events
If task is part of a service:
aws ecs describe-services --cluster my-cluster --services my-service \
--query 'services[*].events[:5]'Look for patterns like:
- service my-service was unable to place a task
- service my-service is unable to consistently start tasks
Step 10: Verify Port Mappings
Check for port conflicts:
```bash # Check task definition ports aws ecs describe-task-definition --task-definition my-task:1 \ --query 'taskDefinition.containerDefinitions[*].portMappings'
# Check what ports are in use on container instance
aws ecs describe-container-instances \
--cluster my-cluster \
--container-instances arn:aws:ecs:region:account:container-instance/my-cluster/abc123 \
--query 'containerInstances[*].registeredResources[?name==PORTS]'
```
Verification
```bash # After fixing, restart task aws ecs run-task --cluster my-cluster --task-definition my-task:1
# Monitor task status aws ecs describe-tasks --cluster my-cluster --tasks NEW_TASK_ID \ --query 'tasks[*].[lastStatus,containers[*].lastStatus]' ```
Task should transition: - PENDING → RUNNING (within 1-2 minutes for EC2, 2-3 minutes for Fargate)
Related Issues
- [Fix AWS ECS Service Unstable](/articles/fix-aws-ecs-service-unstable)
- [Fix AWS ECS Exec Command Not Working](/articles/fix-aws-ecs-exec-command-not-working)
- [Fix AWS ECS Container Stuck in Creating](/articles/fix-aws-ecs-container-stuck-creating)
Related Articles
- [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
- [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
- [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
- [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
- [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS ECS Task Stuck in Pending State", "description": "Troubleshoot ECS tasks stuck in PENDING. Fix resource constraints, networking issues, IAM roles, and task definition errors.", "url": "https://www.fixwikihub.com/fix-aws-ecs-task-pending", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-01T10:12:36.536Z", "dateModified": "2026-04-01T10:12:36.536Z" } </script>