Amazon ECS provides support for Adding or Dropping Linux Capabilities to Containers

Adding or dropping Linux capabilities to containers has become convenient through the Amazon EC2 Container Service (Amazon ECS) by using the Docker’s cap-add & cap-drop flags. Linux capabilities aides in processing and giving fine-grained access control without any root access to a system, requiring additional permissions and doesn’t add any unnecessary security risks.By default, Docker runs as “unprivileged”, thus cannot execute most system and network administration operations. The Docker “privileged” mode gives root access, but aren’t optimal nor secured for most workloads. Cap-add and cap-drop options specify capabilities to add or drop for each container in a specific task.