diff --git a/lib/aws.js b/lib/aws.js
new file mode 100644
index 0000000..5cc0cff
--- /dev/null
+++ b/lib/aws.js
@@ -0,0 +1,15 @@
+const AWS = require('aws-sdk');
+
+if (typeof process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI !== 'undefined') {
+  AWS.config.credentials = new AWS.ECSCredentials({
+    httpOptions: { timeout: 5000 },
+    maxRetries: 10,
+    retryDelayOptions: { base: 200 }
+  });
+}
+
+if (typeof process.env.AWS_DEFAULT_REGION !== 'undefined') {
+  AWS.config.update({region: process.env.AWS_DEFAULT_REGION});
+}
+
+module.exports = AWS;
diff --git a/lib/keys.js b/lib/keys.js
index 5ce7005..e0799c6 100644
--- a/lib/keys.js
+++ b/lib/keys.js
@@ -1,11 +1,7 @@
-const AWS = require('aws-sdk');
+const AWS = require('./aws');
 const async = require('async');
 const encoder = require('./encoder');
 
-if (typeof process.env.AWS_DEFAULT_REGION !== 'undefined') {
-  AWS.config.update({region: process.env.AWS_DEFAULT_REGION});
-}
-
 function decrypt(key, done) {
   var params = {
     CiphertextBlob: encoder.decode(key)
diff --git a/lib/secrets.js b/lib/secrets.js
index 2e5dbbe..f35f6cd 100644
--- a/lib/secrets.js
+++ b/lib/secrets.js
@@ -1,9 +1,5 @@
-const AWS = require('aws-sdk');
 const async = require('async');
-
-if (typeof process.env.AWS_DEFAULT_REGION !== 'undefined') {
-  AWS.config.update({region: process.env.AWS_DEFAULT_REGION});
-}
+const AWS = require('./aws');
 
 // Blatantly borrowed from https://www.electrictoolbox.com/pad-number-zeroes-javascript/
 function pad(number, length) {
diff --git a/package.json b/package.json
index a2f2312..bc5c9a6 100644
--- a/package.json
+++ b/package.json
@@ -34,7 +34,7 @@
   "dependencies": {
     "aes-js": "0.2.2",
     "async": "1.5.2",
-    "aws-sdk": "2.2.35",
+    "aws-sdk": "2.28.0",
     "xtend": "4.0.1"
   }
 }
diff --git a/test/aws.js b/test/aws.js
new file mode 100644
index 0000000..7ffb57f
--- /dev/null
+++ b/test/aws.js
@@ -0,0 +1,16 @@
+const should = require('chai').should();
+
+describe('AWS', () => {
+  const env = Object.assign({}, process.env);
+  process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI = 'https://fake-uri';
+
+  afterEach(() => {
+    process.env = env;
+  });
+
+  it('can work with ecs credentials', (done) => {
+    const AWS = require('../lib/aws.js');
+    AWS.config.credentials.should.be.an.instanceOf(AWS.ECSCredentials);
+    done();
+  });
+});