ECS Services assigned with public IP address
- Query id: 560f256b-0b45-4496-bcb5-733681e7d38d
- Query name: ECS Services assigned with public IP address
- Platform: Ansible
- Severity: Medium
- Category: Networking and Firewall
- CWE: 201
- Risk score: 3.0
- URL: Github
Description¶
Amazon ECS Services should not be assigned public IP addresses. Public IP assignment exposes services directly to the internet, increasing the attack surface and potential unauthorized access.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: positive1
hosts: localhost
gather_facts: false
tasks:
- name: Create ECS service with network configuration
community.aws.ecs_service:
state: present
name: example-public-ip-service
cluster: my-ecs-cluster
task_definition: my-task-def:1
desired_count: 2
launch_type: FARGATE
network_configuration:
subnets:
- subnet-aaaa1111
- subnet-bbbb2222
security_groups:
- sg-cccc3333
assign_public_ip: true
Positive test num. 2 - yaml file
- name: positive2-legacy
hosts: localhost
gather_facts: false
tasks:
- name: Create ECS service with network configuration
ecs_service:
state: present
name: example-public-ip-service
cluster: my-ecs-cluster
task_definition: my-task-def:1
desired_count: 2
launch_type: FARGATE
network_configuration:
subnets:
- subnet-aaaa1111
- subnet-bbbb2222
security_groups:
- sg-cccc3333
assign_public_ip: true
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: negative1
hosts: localhost
gather_facts: false
tasks:
- name: Create ECS service with network configuration
community.aws.ecs_service:
state: present
name: example-public-ip-service
cluster: my-ecs-cluster
task_definition: my-task-def:1
desired_count: 2
launch_type: FARGATE
network_configuration:
subnets:
- subnet-aaaa1111
- subnet-bbbb2222
security_groups:
- sg-cccc3333
assign_public_ip: false
Negative test num. 2 - yaml file
- name: negative2
hosts: localhost
gather_facts: false
tasks:
- name: Create ECS service on FARGATE without assign_public_ip
community.aws.ecs_service:
state: present
name: service-no-public-ip
cluster: my-cluster
task_definition: my-task-def:1
desired_count: 1
launch_type: FARGATE
network_configuration:
subnets:
- subnet-aaaa1111
security_groups:
- sg-bbbb2222
Negative test num. 3 - yaml file
- name: negative3
hosts: localhost
gather_facts: false
tasks:
- name: Create ECS service on EC2 without network_configuration
community.aws.ecs_service:
state: present
name: service-on-ec2
cluster: my-cluster
task_definition: my-task-def:2
desired_count: 2
launch_type: EC2
Negative test num. 4 - yaml file
- name: negative1
hosts: localhost
gather_facts: false
tasks:
- name: Create ECS service with network configuration
ecs_service:
state: present
name: example-public-ip-service
cluster: my-ecs-cluster
task_definition: my-task-def:1
desired_count: 2
launch_type: FARGATE
network_configuration:
subnets:
- subnet-aaaa1111
- subnet-bbbb2222
security_groups:
- sg-cccc3333
assign_public_ip: false
Negative test num. 5 - yaml file
- name: negative2
hosts: localhost
gather_facts: false
tasks:
- name: Create ECS service on FARGATE without assign_public_ip
ecs_service:
state: present
name: service-no-public-ip
cluster: my-cluster
task_definition: my-task-def:1
desired_count: 1
launch_type: FARGATE
network_configuration:
subnets:
- subnet-aaaa1111
security_groups:
- sg-bbbb2222