Announcing managed daemon support for Amazon ECS Managed Instances | Amazon Web Services

Today, we’re announcing managed daemon support for Amazon Elastic Container Service (Amazon ECS) Managed Instances. This new capability expands the managed environment experience we introduced in September 2025, by giving platform engineers independent control over software such as monitoring, logging and tracking tools, without needing to interact with application development teams, while improving reliability by ensuring that each instance runs the required daemons and helping to monitor host status through completeness.

When running embedded workloads at scale, platform engineers manage a wide variety of tasks, from building development and patching to keeping applications running reliably and maintaining the agents that support those applications. Until now, many of these concerns were tightly coupled. Updating the agent meant coordinating with application groups, changing job definitions, and running all the applications, which is a very difficult task when running hundreds or thousands of services.

Reduced health system for demons

Amazon ECS now introduces a dedicated managed daemon architecture that enables platform teams to manage operating resources. This separation of concerns allows platform engineers to use and update analysis, logging, and back-end infrastructure, while enforcing consistent use of the resources required at all levels, without requiring application teams to re-deploy their services. Daemons are guaranteed to start before the execution of the process, and after the execution, ensuring that logging, tracing, and monitoring are always available when your application needs them.

Platform engineers can deploy managed daemons across multiple providers, or focus on specific providers, allowing them to deploy agents across their devices. Resource management is also centralized, allowing teams to define daemon CPU and memory layers separately from application architectures without the need to rebuild AMIs or update task definitions, while optimizing resource utilization as each instance runs a single copy of the daemon that is shared across multiple application tasks.

Let’s try it

To take ECS Managed Daemons for a spin, I decided to start with Amazon CloudWatch Agent as my first managed daemon. I had previously created an Amazon ECS cluster with a Managed Instance provider using the documentation.

From the Amazon Elastic Container Service console, I noticed a new Daemon job descriptions option in the navigation area, where I can define my managed daemons.

I chose Create a new daemon job definition to start. For this example, I configured the CloudWatch Agent with 1 vCPU and 0.5 GB of memory. To Daemon task definition family areaI wrote a name that I would know later.

For Part of the processI chose ecsTaskExecutionRole from the dropdown. Under Container In this section, I gave my container a descriptive name and set it to a URI image: public.ecr.aws/cloudwatch-agent/cloudwatch-agent:latest along with other additional information.

After checking everything, I chose Create.

Once the daemon job description was done, I went to Groups page, I selected the group I created before and found a new one Demons the tab.

Here I can just click Create a daemon button and fill out the form to configure my daemon.

Under Daemon configurationI selected my newly created daemon task definition family and gave my daemon a name. For Environmental planningI selected the ECS Managed Instances provider that I had created earlier. After confirming my settings, I selected Create.

ECS then automatically ensures that the daemon task is started on every ECS managed instance on my chosen client. To see this in action, I used an example nginx web service as a test task. Once my job was installed, I could see in the console that ECS Managed Daemons had automatically deployed the CloudWatch Agent daemon along with my application, without the need for manual intervention.

When I later upgraded my daemon, ECS handled the deployment automatically by provisioning the new instances with the updated daemon, starting the daemon first, then transferring the application tasks to the new instances before terminating the old ones. This “start before stopping” method ensures continuous daemon protection: your logging, monitoring and tracking agents are always running throughout the development process without gaps in data collection. The drain percentage I set controlled the speed of this change, giving me complete control over the addon’s updates regardless of the application’s runtime.

How it works

A managed daemon experience introduces a new daemon job definition that is separate from the job description, with its own parameters and authentication policy. It’s new daemon_bridge Network mode enables daemons to connect to application tasks while being isolated from network settings.

Managed daemons support advanced host-level access capabilities that are essential for operating systems. Platform engineers can configure daemon tasks as privileged containers, increase Linux capabilities, and mount paths from the host file system. This capability is especially important for monitoring and security agencies that need deep visibility into metrics, processes, and system calls.

When a daemon is used, ECS starts a single daemon process per container instance before placing application tasks. This ensures that the operating resources are in place before your application starts receiving traffic. ECS also supports rolling deployments with automatic rollbacks, so you can update agents with confidence.

Available now

Managed daemon support for Amazon ECS Managed Instances is available today in all AWS environments. To get started, visit the Amazon ECS console or review the Amazon ECS documentation. You can also check for new managed daemons Application Programming Interface (APIs) by visiting this site.

There are no additional costs for using managed daemons. You only pay for the normal computing resources used by your daemon tasks.