Skip to main content

ECS agent stop

ECS agent stop disrupts the state of infrastructure resources. This fault:

  • Induces an agent stop chaos on AWS ECS using Amazon SSM Run command, that is carried out by using SSM documentation which is in-built in the fault for the give chaos scenario.
  • Causes agent container stop on ECS for a specific duration, with a given CLUSTER_NAME environment variable using SSM documentation. Killing the agent container disrupts the performance of the task containers.

ECS Agent Stop

Use cases

ECS agent stop halts the agent that manages the task container on the ECS cluster, thereby impacting its delivery.


  • Kubernetes >= 1.17
  • The ECS container instance should be in healthy state.
  • ECS container metadata should be enabled (this feature is disabled by default). To enable it please follow the aws docs to Enabling container metadata. If you have your task running prior this activity you may need to restart it to get the metadata directory as mentioned in the docs.
  • You and ECS cluster instances have a role with the required AWS access to do SSM and ECS operations. Go to Systems Manager documentation.
  • The Kubernetes secret should have the AWS access configuration(key) in the CHAOS_NAMESPACE. A sample secret file looks like:
    apiVersion: v1
    kind: Secret
    name: cloud-secret
    type: Opaque
    cloud_config.yml: |-
    # Add the cloud AWS credentials respectively
    aws_access_key_id = XXXXXXXXXXXXXXXXXXX
    aws_secret_access_key = XXXXXXXXXXXXXXX

HCE recommends that you use the same secret name, that is, cloud-secret. Otherwise, you will need to update the AWS_SHARED_CREDENTIALS_FILE environment variable in the fault template with the new secret name and you won't be able to use the default health check probes.

Below is an example AWS policy to execute the fault.

"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [

"Resource": "*"
"Effect": "Allow",
"Action": [
"Resource": "*"
"Effect": "Allow",
"Action": [
"Resource": "*"
"Effect": "Allow",
"Action": [
"Resource": [

Mandatory tunables

Tunable Description Notes
CLUSTER_NAME Name of the target ECS cluster Single name supported For example, demo-cluster. For more information, go to cluster name.
REGION The AWS region name of the target ECS cluster For example, us-east-2

Optional tunables

Tunable Description Notes
TOTAL_CHAOS_DURATION The total time duration for chaos insertion (sec) Default: 30 s. For more information, go to duration of the chaos.
CHAOS_INTERVAL The interval (in sec) between successive instance termination. Default: 30 s. For more information, go to chaos interval.
AWS_SHARED_CREDENTIALS_FILE Provide the path for aws secret credentials Default: /tmp/cloud_config.yml
SEQUENCE It defines sequence of chaos execution for multiple instance Default: parallel. Supports serial and parallel. For more information, go to sequence of chaos execution.
RAMP_TIME Period to wait before and after injection of chaos in sec For example, 30 s. For more information, go to ramp time.

Agent stop

Target agent that is stopped for a specific duration. Tune it by using the CLUSTER_NAME environment variable.

The following YAML snippet illustrates the use of this environment variable:

# stops the agent of an ECS cluster
kind: ChaosEngine
name: engine-nginx
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
- name: ecs-agent-stop
# provide the name of ECS cluster
value: 'demo'
- name: REGION
value: 'us-east-2'
VALUE: '60'