Detections
Analytics

Ensure Amazon Elastic Container Service (ECS) clusters are placed in a VPC

HIGH

Description

Elastic Container Service (ECS) tasks are required to run docker containers inside ECS. The network mode manages how ECS docker containers communicate with each other, and using 'awsvpc' will enable private networking for the docker containers to use. It is recommended to use this setting to keep docker container networking within a single ECS cluster private. For more information on how ECS task networking is configured, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html

Remediation

When creating an initial ECS cluster in the AWS console, the process will walk through VPC setup. If there is already a VPC that you wish to use, see the section "Create a security group" in the documentation (below) as a starting point.

In Terraform -

  1. In the aws_ecs_task_definition resource, set the network_mode field to awsvpc.

References:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-vpc
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition

Policy Details

Rule Reference ID: AC_AWS_0088
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_ecs_task_definition
Resource Category: Compute
Resource Type: Elastic Container Service (ECS)

Frameworks