ECS Services assigned with public IP address
- Query id: bafe7989-3c4b-47f0-910b-e6e1cba7f146
- Query name: ECS Services assigned with public IP address
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 201
- Risk score: 3.0
- URL: Github
Description¶
Amazon ECS Services should not be assigned public IP addresses. Public IP assignment exposes services directly to the internet, increasing the attack surface and potential unauthorized access.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_ecs_service" "example_ecs_service" {
name = "example_service_dev"
cluster = aws_ecs_cluster.example_cluster.id
task_definition = aws_ecs_task_definition.example_task.arn
desired_count = 2
launch_type = "FARGATE"
load_balancer {
target_group_arn = "arn:aws:elasticloadbalancing:region:123456789012:targetgroup/example-group/abcdef123456"
container_name = "example-container"
container_port = 8080
}
network_configuration {
assign_public_ip = true
subnets = ["subnet-abc123", "subnet-def456"]
security_groups = ["sg-0123456789abcdef0"]
}
tags = {
Environment = "dev"
Owner = "test_user"
}
}
Positive test num. 2 - tf file
module "ecs" {
source = "terraform-aws-modules/ecs/aws"
cluster_name = "my-ecs-cluster"
services = {
frontend = {
cpu = 512
memory = 1024
container_definitions = {
app = {
image = "nginx:latest"
containerPort = 80
}
}
subnet_ids = ["subnet-abc123"]
security_group_ids = ["sg-0123456789abcdef0"]
assign_public_ip = true
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_ecs_service" "example_ecs_service" {
name = "example_service_dev"
cluster = aws_ecs_cluster.example_cluster.id
task_definition = aws_ecs_task_definition.example_task.arn
desired_count = 2
launch_type = "FARGATE"
load_balancer {
target_group_arn = "arn:aws:elasticloadbalancing:region:123456789012:targetgroup/example-group/abcdef123456"
container_name = "example-container"
container_port = 8080
}
network_configuration {
assign_public_ip = false
subnets = ["subnet-abc123", "subnet-def456"]
security_groups = ["sg-0123456789abcdef0"]
}
tags = {
Environment = "dev"
Owner = "test_user"
}
}
Negative test num. 2 - tf file
resource "aws_ecs_service" "example_ecs_service" {
name = "example_service_dev"
cluster = aws_ecs_cluster.example_cluster.id
task_definition = aws_ecs_task_definition.example_task.arn
desired_count = 2
launch_type = "FARGATE"
load_balancer {
target_group_arn = "arn:aws:elasticloadbalancing:region:123456789012:targetgroup/example-group/abcdef123456"
container_name = "example-container"
container_port = 8080
}
network_configuration {
subnets = ["subnet-abc123", "subnet-def456"]
}
tags = {
Environment = "dev"
Owner = "test_user"
}
}
Negative test num. 3 - tf file
resource "aws_ecs_service" "example_ecs_service" {
name = "example_service"
cluster = aws_ecs_cluster.example_cluster.id
task_definition = aws_ecs_task_definition.example_task.arn
desired_count = 1
launch_type = "EC2"
load_balancer {
target_group_arn = "arn:aws:elasticloadbalancing:region:123456789012:targetgroup/example/abcdef123456"
container_name = "example"
container_port = 8080
}
tags = {
Environment = "prod"
}
}
Negative test num. 4 - tf file
module "ecs" {
source = "terraform-aws-modules/ecs/aws"
cluster_name = "my-ecs-cluster"
services = {
frontend = {
cpu = 512
memory = 1024
container_definitions = {
app = {
image = "nginx:latest"
containerPort = 80
}
}
subnet_ids = ["subnet-abc123"]
security_group_ids = ["sg-0123456789abcdef0"]
assign_public_ip = false
}
}
}