ECS Services assigned with public IP address
- Query id: c0c26068-fdf0-40e5-9b3b-fc8a5f585d2e
- Query name: ECS Services assigned with public IP address
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 201
- Risk score: 3.0
- URL: Github
Description¶
Amazon ECS Services should not be assigned public IP addresses. Public IP assignment exposes services directly to the internet, increasing the attack surface and potential unauthorized access.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
ECSCluster:
Type: 'AWS::ECS::Cluster'
Properties:
ClusterName: CFNCluster
ECSTaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Properties:
ContainerDefinitions:
- Command:
- >-
/bin/sh -c "echo '<html> <head> <title>Amazon ECS Sample
App</title> <style>body {margin-top: 40px; background-color:
#333;} </style> </head><body> <div
style=color:white;text-align:center> <h1>Amazon ECS Sample
App</h1> <h2>Congratulations!</h2> <p>Your application is now
running on a container in Amazon ECS.</p> </div></body></html>' >
/usr/local/apache2/htdocs/index.html && httpd-foreground"
EntryPoint:
- sh
- '-c'
Essential: true
Image: 'public.ecr.aws/docker/library/httpd:2.4'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: /ecs/fargate-task-definition
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
Name: sample-fargate-app
PortMappings:
- ContainerPort: 80
HostPort: 80
Protocol: tcp
Cpu: 256
ExecutionRoleArn: 'arn:aws:iam::111122223333:role/ecsTaskExecutionRole'
Family: task-definition-cfn
Memory: 512
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
RuntimePlatform:
OperatingSystemFamily: LINUX
ECSService:
Type: 'AWS::ECS::Service'
Properties:
ServiceName: cfn-service
Cluster: !Ref ECSCluster
DesiredCount: 1
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- sg-abcdef01234567890
Subnets:
- subnet-021345abcdef67890
TaskDefinition: !Ref ECSTaskDefinition
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"ECSCluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterName": "CFNCluster"
}
},
"ECSTaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Command": [
"/bin/sh -c \"echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' > /usr/local/apache2/htdocs/index.html && httpd-foreground\""
],
"EntryPoint": [
"sh",
"-c"
],
"Essential": true,
"Image": "public.ecr.aws/docker/library/httpd:2.4",
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"awslogs-group": "/ecs/fargate-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"Name": "sample-fargate-app",
"PortMappings": [
{
"ContainerPort": 80,
"HostPort": 80,
"Protocol": "tcp"
}
]
}
],
"Cpu": 256,
"ExecutionRoleArn": "arn:aws:iam::111122223333:role/ecsTaskExecutionRole",
"Family": "task-definition-cfn",
"Memory": 512,
"NetworkMode": "awsvpc",
"RequiresCompatibilities": [
"FARGATE"
],
"RuntimePlatform": {
"OperatingSystemFamily": "LINUX"
}
}
},
"ECSService": {
"Type": "AWS::ECS::Service",
"Properties": {
"ServiceName": "cfn-service",
"Cluster": {
"Ref": "ECSCluster"
},
"DesiredCount": 1,
"LaunchType": "FARGATE",
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"AssignPublicIp": "ENABLED",
"SecurityGroups": [
"sg-abcdef01234567890"
],
"Subnets": [
"subnet-021345abcdef67890"
]
}
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
ECSCluster:
Type: 'AWS::ECS::Cluster'
Properties:
ClusterName: CFNCluster
ECSTaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Properties:
ContainerDefinitions:
- Command:
- >-
/bin/sh -c "echo '<html> <head> <title>Amazon ECS Sample
App</title> <style>body {margin-top: 40px; background-color:
#333;} </style> </head><body> <div
style=color:white;text-align:center> <h1>Amazon ECS Sample
App</h1> <h2>Congratulations!</h2> <p>Your application is now
running on a container in Amazon ECS.</p> </div></body></html>' >
/usr/local/apache2/htdocs/index.html && httpd-foreground"
EntryPoint:
- sh
- '-c'
Essential: true
Image: 'public.ecr.aws/docker/library/httpd:2.4'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: /ecs/fargate-task-definition
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
Name: sample-fargate-app
PortMappings:
- ContainerPort: 80
HostPort: 80
Protocol: tcp
Cpu: 256
ExecutionRoleArn: 'arn:aws:iam::111122223333:role/ecsTaskExecutionRole'
Family: task-definition-cfn
Memory: 512
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
RuntimePlatform:
OperatingSystemFamily: LINUX
ECSService:
Type: 'AWS::ECS::Service'
Properties:
ServiceName: cfn-service
Cluster: !Ref ECSCluster
DesiredCount: 1
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups:
- sg-abcdef01234567890
Subnets:
- subnet-021345abcdef67890
TaskDefinition: !Ref ECSTaskDefinition
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"ECSCluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterName": "CFNCluster"
}
},
"ECSTaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Command": [
"/bin/sh -c \"echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' > /usr/local/apache2/htdocs/index.html && httpd-foreground\""
],
"EntryPoint": [
"sh",
"-c"
],
"Essential": true,
"Image": "public.ecr.aws/docker/library/httpd:2.4",
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"awslogs-group": "/ecs/fargate-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"Name": "sample-fargate-app",
"PortMappings": [
{
"ContainerPort": 80,
"HostPort": 80,
"Protocol": "tcp"
}
]
}
],
"Cpu": 256,
"ExecutionRoleArn": "arn:aws:iam::111122223333:role/ecsTaskExecutionRole",
"Family": "task-definition-cfn",
"Memory": 512,
"NetworkMode": "awsvpc",
"RequiresCompatibilities": [
"FARGATE"
],
"RuntimePlatform": {
"OperatingSystemFamily": "LINUX"
}
}
},
"ECSService": {
"Type": "AWS::ECS::Service",
"Properties": {
"ServiceName": "cfn-service",
"Cluster": {
"Ref": "ECSCluster"
},
"DesiredCount": 1,
"LaunchType": "FARGATE",
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"AssignPublicIp": "DISABLED",
"SecurityGroups": [
"sg-abcdef01234567890"
],
"Subnets": [
"subnet-021345abcdef67890"
]
}
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
}
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
ECSCluster:
Type: 'AWS::ECS::Cluster'
Properties:
ClusterName: CFNCluster
ECSTaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Properties:
ContainerDefinitions:
- Command:
- >-
/bin/sh -c "echo '<html> <head> <title>Amazon ECS Sample
App</title> <style>body {margin-top: 40px; background-color:
#333;} </style> </head><body> <div
style=color:white;text-align:center> <h1>Amazon ECS Sample
App</h1> <h2>Congratulations!</h2> <p>Your application is now
running on a container in Amazon ECS.</p> </div></body></html>' >
/usr/local/apache2/htdocs/index.html && httpd-foreground"
EntryPoint:
- sh
- '-c'
Essential: true
Image: 'public.ecr.aws/docker/library/httpd:2.4'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: /ecs/fargate-task-definition
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
Name: sample-fargate-app
PortMappings:
- ContainerPort: 80
HostPort: 80
Protocol: tcp
Cpu: 256
ExecutionRoleArn: 'arn:aws:iam::111122223333:role/ecsTaskExecutionRole'
Family: task-definition-cfn
Memory: 512
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
RuntimePlatform:
OperatingSystemFamily: LINUX
ECSService:
Type: 'AWS::ECS::Service'
Properties:
ServiceName: cfn-service
Cluster: !Ref ECSCluster
DesiredCount: 1
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
SecurityGroups:
- sg-abcdef01234567890
Subnets:
- subnet-021345abcdef67890
TaskDefinition: !Ref ECSTaskDefinition
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"ECSCluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterName": "CFNCluster"
}
},
"ECSTaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Command": [
"/bin/sh -c \"echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' > /usr/local/apache2/htdocs/index.html && httpd-foreground\""
],
"EntryPoint": [
"sh",
"-c"
],
"Essential": true,
"Image": "public.ecr.aws/docker/library/httpd:2.4",
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"awslogs-group": "/ecs/fargate-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"Name": "sample-fargate-app",
"PortMappings": [
{
"ContainerPort": 80,
"HostPort": 80,
"Protocol": "tcp"
}
]
}
],
"Cpu": 256,
"ExecutionRoleArn": "arn:aws:iam::111122223333:role/ecsTaskExecutionRole",
"Family": "task-definition-cfn",
"Memory": 512,
"NetworkMode": "awsvpc",
"RequiresCompatibilities": [
"FARGATE"
],
"RuntimePlatform": {
"OperatingSystemFamily": "LINUX"
}
}
},
"ECSService": {
"Type": "AWS::ECS::Service",
"Properties": {
"ServiceName": "cfn-service",
"Cluster": {
"Ref": "ECSCluster"
},
"DesiredCount": 1,
"LaunchType": "FARGATE",
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"SecurityGroups": [
"sg-abcdef01234567890"
],
"Subnets": [
"subnet-021345abcdef67890"
]
}
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
}
}
}
}
}