* [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
* [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
* [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
You should already have followed the [installation instructions](/docs/ecs/manual/install) to understand how to define the necessary components of the task definition for Consul on ECS.
You should be familiar with [specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) on ECS.
You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the [ACL system documentation](/docs/security/acl) and [Day 1: Security tutorials](https://learn.hashicorp.com/collections/consul/security) for an introduction and additional information.
Tokens are artifacts within the ACL system that authenticate users, services, and Consul agents. Tokens are linked to policies that specify the resources the token bearer has access to when making requests in the network.
This section describes how to manually create ACL tokens. You can install the ACL controller, however, to ease the burden of creating tokens. The ACL controller can automatically create ACL tokens for Consul on ECS. Refer to the [ACL Controller](/docs/manual/acl-controller) documentation for installation details.
The policy allows `node:write` for any node name, which is necessary because the Consul node names on ECS are not known until runtime.
You can add the policy in Consul using the [`consul acl policy create`](/commands/acl/policy/create) command or the [`[PUT] /v1/acl/policy`](/api-docs/acl/policies#create-a-policy) API endpoint.
If you intend to create a gateway for connecting multiple Consul datacenters, you will need additional policies to specify the permission scope.
#### Mesh gateway policy
Mesh gateways must run in the default namespace.
```hcl
namespace "default" { // If namespaces enabled
service "<Service Name>" {
policy = "write"
}
}
namespace_prefix "" { // If namespaces enabled
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
}
agent_prefix "" {
policy = "read"
}
```
#### Terminating gateway policy
```hcl
partition "<partition>" { // If partitions enabled
namespace "<namespace>" { // If namespaces enabled
service "<Service Name>" {
policy = "write"
}
node_prefix "" {
policy = "read"
}
}
}
```
#### Ingress gateway policy
```hcl
partition "<partition>" { // If partitions enabled
namespace "<namespace>" { // If namespaces enabled
Create the Consul client token and the service tokens after adding the necessary policies. Service tokens should be associated with a service identity. The service identity includes `service:write` permissions for the service and sidecar proxy.
You can create tokens using the [`consul acl token create`](/commands/acl/token/create) command or the [`[PUT] /v1/acl/token`](/api-docs/acl/tokens#create-a-token) API endpoint.
The following example shows how to use the Consul CLI to create a service token for a service named example-client-app:
| [`tls.defaults.ca_file`](/docs/agent/config/config-files#tls_defaults_ca_file) | string | Specifies the Consul server CA cert for TLS verification. |
| [`acl.enabled`](/docs/agent/config/config-files#acl_enabled) | boolean | Enable ACLs for this agent. |
| [`acl.tokens.agent`](/docs/agent/config/config-files#acl_tokens_agent) | string | Specifies the Consul client token which authorizes this agent with Consul servers. |
