Skip to main content

πŸ›‘οΈ AWS ECS Service automatically assigns public IP addresses🟒

  • Contextual name: πŸ›‘οΈ Service automatically assigns public IP addresses🟒
  • ID: /ce/ca/aws/ecs/service-public-ip-auto-assignment
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS ECS Services that are configured to automatically assign public IP addresses to launched tasks. This option is available only when using the awsvpc network mode, which is required for the Fargate launch type.

Rationale​

Assigning public IP addresses to ECS tasks allows them to be directly reachable from the public internet. This exposure increases the risk of unauthorized access, including network scanning, brute-force attempts, and exploitation of application vulnerabilities.

Backend services and internal applications should be deployed within private subnets that do not have direct inbound or outbound internet routes. External access should be managed through Load Balancers, while outbound access should be routed through NAT Gateways.

Audit​

This policy marks an AWS ECS Service as INCOMPLIANT if the Assign Public IP configuration is set to Enabled.

Inactive ECS Services are marked as INAPPLICABLE.

Remediation​

Open File

Remediation​

Update the ECS Service Network Configuration​

Using the AWS CLI​

Changing the network configuration triggers a new service deployment.

  1. Prepare a network-config.json file. Ensure you include the correct subnets and security groups, but set assignPublicIp to DISABLED.

    {
    "awsvpcConfiguration": {
        "subnets": ["subnet-xxxx", "subnet-yyyy"],
        "securityGroups": ["sg-xxxx"],
        "assignPublicIp": "DISABLED"
    }
    }

  2. Run the update command:

    aws ecs update-service \
        --cluster {{cluster-name}} \
        --service {{service-name}} \
        --network-configuration file://network-config.json

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECS.2] ECS services should not have public IP addresses assigned to them automatically1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Network Exposure132no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3784no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)237105no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1163no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81179no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-21 Information Sharing (M)(H)19no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10884no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(3) Access Points (M)(H)19no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)49no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(20) Dynamic Isolation and Segregation (H)20no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(21) Isolation of System Components (H)37no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)49no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)189no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)63no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)679no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-21 Information Sharing (M)(H)19no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)768no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(3) Access Points (M)(H)19no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)49no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15559no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control31no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement3269123no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3763no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102372no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-21 Information Sharing219no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29493no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(3) Boundary Protection _ Access Points19no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services49no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic34no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic37no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components37no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation20no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(21) Boundary Protection _ Isolation of System Components37no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.15no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.15no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.15no data