Profile Applicability:

  • Level 1

Description:

In Amazon ECS, task sets are used to manage ECS tasks in a Service deployment. By default, ECS tasks may be assigned public IP addresses if they are launched in Fargate launch type or use the awsvpc network mode. This SOP ensures that ECS task sets do not automatically assign public IPs to tasks, which could expose internal applications to the internet. Instead, tasks should be deployed with private IPs within a VPC and use NAT gateways or other private routing mechanisms for internet access, if required.

Rationale:

Automatically assigning public IPs to ECS tasks exposes them to the internet, potentially increasing the security risk of unauthorized access. By not assigning public IPs, you ensure that the ECS tasks are isolated within your VPC, and public access is restricted to only the required services (such as load balancers). This approach also allows for better control over inbound and outbound traffic, improving security and compliance with best practices such as least privilege.

Impact:

Pros:

  • Improved Security: Restricts direct internet access to the ECS tasks, reducing the risk of potential attacks.

  • Compliance: Helps meet security standards by avoiding public exposure of internal services.

  • Better Control: Tasks can be accessed only through a load balancer or private network connections, allowing for easier traffic management and monitoring.

Cons:

  • Additional Configuration: Requires managing private IPs and NAT gateways if internet access is required for the tasks.

  • Potential Latency: Using a NAT gateway or private routing mechanisms can introduce additional latency for tasks needing external access.

Default Value:

By default, when launching Fargate tasks in awsvpc mode, ECS will automatically assign public IPs unless specifically configured not to do so.

Pre-requisite:

  • AWS IAM Permissions:

    • ecs:DescribeTaskSets

    • ecs:CreateTaskSet

    • ecs:UpdateTaskSet

    • ec2:DescribeNetworkInterfaces

  • AWS CLI installed and configured.

  • Basic understanding of ECS task sets, Fargate launch type, networking modes, and VPC.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ECS under Services.

     

  1. Go to Clusters, then select the cluster that contains the ECS service.

   

  1. Select the task set and review the network configuration:

    • Ensure that awsvpc network mode is selected and that public IP assignment is disabled.

  • If the public IP option is enabled, it should be unchecked or disabled.

             

  1. Verify that the task set uses private IPs only.

Using AWS CLI:

To describe the task set and check the network configuration, run:

 aws ecs describe-task-sets --cluster <cluster-name> --service <service-name> --query 'taskSets[*].networkConfiguration'

Review the networkConfiguration output and ensure that assignPublicIp is set to DISABLED.

Example output:

 "networkConfiguration": {

  "awsvpcConfiguration": {

    "subnets": ["subnet-xxxxxx"],

    "assignPublicIp": "DISABLED"

  }

}

If the assignPublicIp attribute is set to ENABLED, you must disable it by updating the task set configuration.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console 

  2. Navigate to ECS.

     

  1. Under Clusters, choose the cluster that contains the service running the task set.

   

  1. Select the task set and click on Update.

       

  1. In the Network Configuration section, ensure that awsvpc network mode is selected.

     

  1. Make sure that Assign Public IP is set to DISABLED.

         

  1. Save the changes to update the task set configuration.

Using AWS CLI:

To update an ECS task set to disable public IP assignment, run the following command:

 aws ecs update-task-set --cluster <cluster-name> --service <service-name> --task-set <task-set-id> --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],assignPublicIp=DISABLED}"

After making the changes, verify that the public IP assignment is now disabled:

 aws ecs describe-task-sets --cluster <cluster-name> --service <service-name> --query 'taskSets[*].networkConfiguration'

Backout Plan:

If disabling the automatic public IP assignment causes issues:

Identify the affected task set and network configuration.

Revert the configuration by enabling the Assign Public IP option:

 aws ecs update-task-set --cluster <cluster-name> --service <service-name> --task-set <task-set-id> --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],assignPublicIp=ENABLED}"

Verify that the task set now has public IPs assigned, and the issue is resolved.

Note:

  • If private IP communication within the VPC is required for external access (e.g., for internet access), ensure that a NAT Gateway or NAT instance is used to route traffic for private subnets.

  • If tasks need to access public services, such as AWS S3 or other external APIs, ensure that NAT Gateway is configured to allow this without requiring public IPs on the task itself.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.