Profile Applicability:
Level 1

Description:
 For Amazon ECS task sets, the 
assignPublicIp setting should be set to DISABLED. This ensures that ECS tasks are not assigned public IP addresses, improving security by preventing direct exposure to the internet. By disabling public IPs, you reduce the risk of unauthorized access to containers running in ECS, and traffic must go through secure internal networking or a load balancer for external access.

Rationale:
 Allowing public IPs to be assigned to ECS tasks can expose sensitive services to the internet. Disabling public IP addresses helps secure ECS tasks by ensuring they are not directly accessible from outside the VPC. Instead, access should be controlled via private IPs and internal security measures like security groups, private subnets, or load balancers.

Impact:
 Pros:

  • Reduces the attack surface by preventing ECS tasks from being directly accessible from the internet.

  • Improves network security by ensuring that tasks are only accessible via private networking.

  • Aligns with best practices for isolating services within a private network.

Cons:

  • May require adjustments in how external services access ECS tasks (e.g., via a load balancer or VPC peering).

  • More complex networking setup may be required for some use cases.

Default Value:
 By default, ECS tasks are created with the assignPublicIp setting set to DISABLED for tasks launched in private subnets. However, this setting can be overridden during task definition or service creation.

Pre-requisites:

  • AWS IAM permissions to view and manage ECS task sets and services:

    • ecs:DescribeTaskSets

    • ecs:UpdateService

    • ecs:RegisterTaskDefinition

Remediation

Test Plan:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to ECS.

  2. In the left pane, click Clusters, then select the ECS cluster that contains the task set you want to review.

  3. Click on Task Sets under the Services section of the cluster.

  4. Select a task set from the list and review its settings.

  5. In the Task Set Details, ensure that the Assign Public IP option is set to DISABLED.

  6. Repeat steps 3–5 for other task sets in the cluster and across other AWS regions to verify compliance.

Using AWS CLI:

  1. Run the following command to list ECS task sets:

     aws ecs list-task-sets --cluster <cluster-name> --service <service-name> --output json

  2. For each task set, describe the task set and check the assignPublicIp value:

  3. Ensure that the assignPublicIp attribute is set to DISABLED for all task sets.

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to ECS.

  2. In the left pane, click Clusters, then select the ECS cluster that contains the task set you want to modify.

  3. Click on Task Sets under the Services section of the cluster.

  4. Select the task set that requires modification.

  5. In the Task Set Details, click Edit.

  6. Under Network Configuration, ensure that the Assign Public IP option is set to DISABLED.

  7. Save the changes to the task set.

Using AWS CLI:

  1. To update the ECS task set and disable public IP assignment, run the following command:

     aws ecs update-service --cluster <cluster-name> --service <service-name> --force-new-deployment --network-configuration "awsvpcConfiguration={assignPublicIp=DISABLED}"

  2. Wait for the deployment to complete and verify that the new configuration has been applied.

Backout Plan:

Using AWS Console:

  1. If issues arise after disabling public IPs, log in to the AWS Management Console and navigate to ECS.

  2. Select the ECS cluster and go to Task Sets.

  3. Select the task set where you disabled public IPs and click Edit.

  4. Under Network Configuration, change Assign Public IP back to ENABLED.

  5. Save the changes to revert to the previous configuration.

Using AWS CLI:

  1. To revert the changes and enable public IP assignment again, run the following command:

     aws ecs update-service --cluster <cluster-name> --service <service-name> --force-new-deployment --network-configuration "awsvpcConfiguration={assignPublicIp=ENABLED}"

  2. Wait for the deployment to complete and verify that the public IP assignment is enabled.

References:

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Ensure ECS task sets are configured to disable public IP addresses for better security and network isolation.

v7

7.1

Apply security configurations to ECS services to reduce exposure to public networks.