Profile Applicability:

  • Level 1

Description:

Amazon ECS (Elastic Container Service) allows you to run containerized applications on clusters. When ECS tasks are launched, they can be configured to automatically assign public IP addresses to their network interfaces (ENIs) when using the awsvpc network mode. This SOP ensures that ECS services do not automatically assign public IPs to tasks, preventing unnecessary exposure of internal services to the internet. Instead, ECS tasks should only have private IPs and access to the internet should be mediated through secure means like a NAT Gateway or Application Load Balancer.

Rationale:

By preventing ECS tasks from automatically assigning public IPs, the application is protected from direct access over the public internet, reducing the attack surface and improving security. This is a best practice to adhere to the principle of least privilege, ensuring that containers run with only the necessary access and preventing them from being exposed to unauthorized internet traffic.

Using private IPs within a VPC for ECS tasks also ensures that network traffic can be better controlled and monitored, improving visibility and security. If external access is needed, it should be routed through controlled resources, like Load Balancers or VPNs, to enforce more granular access control.

Impact:

Pros:

  • Improved Security: Prevents ECS tasks from being directly exposed to the internet, reducing the potential for unauthorized access.

  • Compliance: Aligns with security best practices and compliance standards such as SOC 2, CIS, and PCI-DSS.

  • Network Control: Ensures that network traffic is routed through controlled services such as Application Load Balancers or NAT Gateways for more granular traffic management.

Cons:

  • Configuration Complexity: Requires configuring private IP routing or load balancers for public-facing services, which could be more complex to manage.

  • Potential Latency: Routing traffic through internal load balancers or NAT Gateways could increase latency for some traffic.

Default Value:

By default, ECS tasks launched with the awsvpc network mode may have public IPs automatically assigned. This setting can be disabled to ensure only private IPs are used.

Pre-requisite:

  • AWS IAM Permissions:

    • ecs:DescribeServices

    • ecs:CreateService

    • ecs:UpdateService

    • ec2:DescribeNetworkInterfaces

  • AWS CLI installed and configured.

  • Basic knowledge of ECS services, VPC, networking modes, and task definitions.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ECS under Services.

                     

  1. Go to Clusters and select the ECS service you want to inspect

  1. Under the Service Details, review the Network Configuration for the service.

    • Ensure that Assign Public IP is set to DISABLED.

  • If Assign Public IP is enabled, you will need to update the service to disable this option.

Using AWS CLI:

To describe the ECS service and check the network configuration, run:

aws ecs describe-services --cluster <cluster-name> --services <service-name> --query 'services[*].networkConfiguration.awsvpcConfiguration.assignPublicIp'

Review the output to ensure that the assignPublicIp field is set to DISABLED.

 Example output:

[

  {

    "networkConfiguration": {

      "awsvpcConfiguration": {

        "assignPublicIp": "DISABLED"

      }

    }

  }

]

If the result shows "ENABLED", the ECS service should be updated to disable public IP assignment.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to ECS.

  2. Go to the Clusters section and select the service to update.

                         

  1. Under Network Configuration, ensure that Assign Public IP is set to DISABLED.

             

  1. If the setting is enabled, click Update Service and disable the Assign Public IP option.

                       

  1. Save the changes and redeploy the service.

                             

Using AWS CLI:

To update the ECS service to disable public IP assignment, run:

aws ecs update-service \

  --cluster <cluster-name> \

  --service <service-name> \

  --network-configuration "awsvpcConfiguration={assignPublicIp=DISABLED}"

After updating, verify the configuration by running:

aws ecs describe-services --cluster <cluster-name> --services <service-name> --query 'services[*].networkConfiguration.awsvpcConfiguration.assignPublicIp'

  1. The assignPublicIp attribute should now be set to DISABLED.

Backout Plan:

If disabling public IP assignment causes issues:

Identify the affected ECS service and network configuration.

Re-enable Assign Public IP for the service by running the following command:

aws ecs update-service \

  --cluster <cluster-name> \

  --service <service-name> \

  --network-configuration "awsvpcConfiguration={assignPublicIp=ENABLED}"

Verify that the Assign Public IP setting is back to ENABLED.
Test the ECS service to ensure it is functioning properly with the re-enabled public IP setting.


Note:

  • If ECS tasks need to be publicly accessible, consider using an Application Load Balancer (ALB) or Network Load Balancer (NLB) to expose the service securely without assigning public IPs directly to the ECS tasks.

  • If internet access is required for ECS tasks, set up a NAT Gateway for outbound traffic while keeping the tasks within private subnets.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.