Profile Applicability:
- Level 1
Description:
This rule ensures that assignPublicIp is set to DISABLED for Amazon ECS services. Disabling the automatic assignment of public IPs to ECS services helps prevent direct exposure of container applications to the public internet, which could increase the risk of unauthorized access or attacks.
Rationale:
Allowing ECS services to assign public IPs can expose containerized applications to the public internet, increasing the potential attack surface. By setting assignPublicIp to DISABLED, containers are isolated within a private network and cannot be accessed directly from the internet unless explicitly routed through a load balancer or other secure methods.
Impact:
Pros:
Enhanced security by preventing direct public internet access to containers.
Improved network isolation, reducing the likelihood of unauthorized access or data breaches.
Cons:
Operational overhead: Requires configuring and maintaining private networking and associated resources, such as a load balancer or NAT gateway, to allow for controlled access to the ECS services.
Potential additional costs for private networking components.
Default Value:
By default, assignPublicIp is set to ENABLED, which means ECS services are allowed to obtain public IP addresses upon launch.
Pre-requisites:
AWS IAM permissions to manage ECS services:
ecs:UpdateService, ecs:DescribeServices
Remediation:
Test Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Clusters.
Click the name of the cluster you wish to review.
Under Services, click the name of the service.
Click Configuration and Networking.
Under Network Configuration, ensure that Auto-assign public IP is set to Turned off.
Repeat steps 1-6 for each ECS cluster and service in use across all regions.
Using AWS CLI:
Run the following command to list the available ECS clusters:
aws ecs list-clusters
For each cluster, run the following command to list its services:
aws ecs list-services --cluster <cluster-arn>
For each service, run the following command to describe the service and check its network configuration:
aws ecs describe-services --cluster <cluster-arn> --services <service-arn>
Ensure that under networkConfiguration > awsvpcConfiguration, the assignPublicIp parameter is set to DISABLED.
Implementation Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Clusters.
Click the name of the cluster you wish to modify.
Under Services, click the service you want to modify.
Click Create new revision.
Under Network Configuration, uncheck Auto-assign public IP.
Click Update to apply the changes.
Repeat for other ECS services as required.
Using AWS CLI:
For each ECS service that requires remediation, run the following command to update its network configuration:
aws ecs update-service --cluster <cluster-arn> --service <service-arn> --network-configuration '{"awsvpcConfiguration":{"subnets":["<subnet-id>"],"securityGroups":["<security-group-id>"],"assignPublicIp":"DISABLED"}}'Repeat this step for each ECS service that needs to have the public IP assignment disabled.
Backout Plan:
Using AWS Console:
If issues arise after disabling assignPublicIp, you can revert the changes by re-enabling the Auto-assign public IP option for the affected services.
Go to the ECS service configuration and enable Auto-assign public IP again.
Using AWS CLI:
To revert the setting back to the default, run the following command to enable assignPublicIp:
aws ecs update-service --cluster <cluster-arn> --service <service-arn> --network-configuration '{"awsvpcConfiguration":{"subnets":["<subnet-id>"],"securityGroups":["<security-group-id>"],"assignPublicIp":"ENABLED"}}'
References:
CIS Controls:
