AWS ECS services have automatic public IP address assignment enabled
Description
This policy verifies that Elastic Container Service (ECS) services do not automatically assign public IP addresses. The main risk of non-compliance with this policy is increased vulnerability. If ECS services are automatically assigned public IP addresses, it opens the possibility for unauthorized entities to interact with and potentially exploit these services. This can lead to data breaches, service interruptions, and other security incidents. Therefore, it's critical to ensure IP addresses aren't automatically publicly exposed to limit potential attack vectors and maintain the security of the services.
Code Example
resource "aws_ecs_service" "example" {
name = "example"
cluster = aws_ecs_cluster.example.id
task_definition = aws_ecs_task_definition.example.arn
network_configuration {
subnets = [aws_subnet.example.id]
assign_public_ip = false
}
load_balancer {
target_group_arn = aws_lb_target_group.example.arn
container_name = "example"
container_port = 8080
}
}Remediation
Terraform
- Resource: aws_ecs_service
- Arguments: network_configuration.assign_public_ip
In order to fix this issue, you need to ensure that the ECS services do not have public IP addresses assigned to them automatically. This can be done by setting the `assign_public_ip` attribute to `false` in the `aws_ecs_service` resource block.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0380 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_333 |