lacework-global-804
Elastic Container Service (ECS) services should not have public IP addresses assigned to them automatically (Automated)
Description
This policy checks for Amazon ECS services configured to automatically assign public IP addresses.
A public IP address is an IP address that is reachable from the internet. If Amazon ECS instances have a public IP address on launch, then the Amazon ECS instances are reachable from the internet. Amazon ECS services should not be publicly accessible, as this may allow unintended access to the container application servers.
Remediation
If a service has a public IP address, it is only possible to update this via the AWS CLI. If using the console, you must create a new instance of the service and delete the older version.
From the AWS console:
- Log in to the AWS Management Console.
- Click Services.
- Select Containers > Elastic Container Service.
- Click the name of the cluster containing the service with a Public IP address.
- Click the Services tab.
- Click the Create button.
- Under Networking, set the Public IP radio button to Turned off.
- Configure the rest of the service settings as required.
- Click Create.
- In the Services tab, click the Service with the Public IP address.
- Click the Delete service button, and enter delete in the pop up window and click the Delete button.
From CLI:
aws ecs update-service --cluster <cluster_name> --service <service_name> --network-configuration "awsvpcConfiguration={subnets=[<subnet_ids>],securityGroups=[<security_group_ids>],assignPublicIp=DISABLED}"
References
https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-2
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-service-console-v2.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service-console-v2.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/update-service.html