diff --git a/agent/engine/serviceconnect/manager_linux.go b/agent/engine/serviceconnect/manager_linux.go
index 699cf479296..54b14c4a211 100644
--- a/agent/engine/serviceconnect/manager_linux.go
+++ b/agent/engine/serviceconnect/manager_linux.go
@@ -84,6 +84,12 @@ const (
 
 	ecsAgentLogFileENV              = "ECS_LOGFILE"
 	defaultECSAgentLogPathContainer = "/log"
+
+	// This is the path to the host's PKI directory. The appnet agent container needs
+	// this directory mounted so that it can access the host's PKI directory for the
+	// purpose of utilizing any special CA certs that the underlying EC2 instance has
+	// configured.
+	hostPKIDirPath = "/etc/pki"
 )
 
 type manager struct {
@@ -207,6 +213,7 @@ func (m *manager) initAgentDirectoryMounts(taskId string, container *apicontaine
 
 	hostConfig.Binds = append(hostConfig.Binds, getBindMountMapping(statusPathHost, m.statusPathContainer))
 	hostConfig.Binds = append(hostConfig.Binds, getBindMountMapping(m.relayPathHost, m.relayPathContainer))
+	hostConfig.Binds = append(hostConfig.Binds, getBindMountMapping(hostPKIDirPath, hostPKIDirPath))
 
 	// create logging directory and bind mount, if customer has not configured a logging driver
 	if container.GetLogDriver() == "" {
diff --git a/agent/engine/serviceconnect/manager_linux_test_common.go b/agent/engine/serviceconnect/manager_linux_test_common.go
index 4e04b99d878..35b38444f37 100644
--- a/agent/engine/serviceconnect/manager_linux_test_common.go
+++ b/agent/engine/serviceconnect/manager_linux_test_common.go
@@ -129,6 +129,7 @@ func testAgentContainerModificationsForServiceConnect(t *testing.T, privilegedMo
 		fmt.Sprintf("%s/status/%s:%s", tempDir, scTask.GetID(), "/some/other/run"),
 		fmt.Sprintf("%s/relay:%s", tempDir, "/not/var/run"),
 		fmt.Sprintf("%s/log/%s:%s", tempDir, scTask.GetID(), "/some/other/log"),
+		"/etc/pki:/etc/pki",
 	}
 	expectedENVs := map[string]string{
 		"ReLaYgOeShErE":                 "unix:///not/var/run/relay_file_of_holiness",
@@ -190,7 +191,7 @@ func testAgentContainerModificationsForServiceConnect(t *testing.T, privilegedMo
 			if err != nil {
 				t.Fatal(err)
 			}
-			assert.Equal(t, tc.expectedBinds, hostConfig.Binds)
+			assert.ElementsMatch(t, tc.expectedBinds, hostConfig.Binds)
 			assert.Equal(t, tc.expectedENV, tc.container.Environment)
 			if privilegedMode {
 				for _, bind := range hostConfig.Binds {