Skip to main content

Amazon ECS services should not have public IP addresses assigned to them automatically

Severity: High

Resource Types: AWS::ECS::Service

Description

This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. This control fails if AssignPublicIP is ENABLED. This control passes if AssignPublicIP is DISABLED.

A public IP address is an IP address that is reachable from the internet. If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet. Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.

Remediation

To disable automatic public IP assignment, see To configure VPC and security group settings for your service.