Ensure public IP address is not assigned to Amazon Elastic Container Service (ECS)

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

Service network configurations are defined by tasks in ECS, and when using awsvpc, when starting a service in a cluster. When starting a new service, the option will be available to either enable or disable the use of a public IP address. Follow the AWS documentation (below) on creating new task definitions and how to use them in an ECS cluster.

In Terraform -

In the 'aws_ecs_service' resource, set attribute 'network_configuration.assign_public_ip' to false.

References:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#network_mode?icmpid=docs_ecs_hp-task-definition
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service#assign_public_ip

Policy Details

Rule Reference ID: AC_AWS_0399

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_ecs_service

Resource Category: Compute

Resource Type: Elastic Container Service (ECS)

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0