Skip to main content

ECS Task Set Should Not Assign Public IP

Overview

This check verifies that ECS task sets do not automatically assign public IP addresses to tasks. When public IP assignment is enabled, your container tasks become directly reachable from the internet, which increases your attack surface.

Risk

When ECS tasks have public IP addresses, they can be discovered and targeted by attackers through:

  • Direct internet exposure - Tasks can be scanned and attacked from anywhere
  • Data exfiltration - Compromised tasks can communicate outbound without going through your security controls
  • Lateral movement - Attackers who compromise a public task can pivot to internal resources
  • Reconnaissance - Public IPs make it easier for attackers to map your infrastructure

Remediation Steps

Prerequisites

You need:

  • AWS Console access with permissions to modify ECS services
  • Knowledge of which ECS cluster and service contains the affected task set
Required IAM permissions

Your IAM user or role needs these permissions:

  • ecs:DescribeTaskSets
  • ecs:CreateTaskSet
  • ecs:UpdateTaskSet
  • ecs:DeleteTaskSet
  • ecs:UpdateService

AWS Console Method

Task sets are used with services that have the EXTERNAL deployment controller. You cannot directly edit the network configuration of an existing task set - you must create a new one with the correct settings.

  1. Open the Amazon ECS console
  2. Select Clusters from the left navigation
  3. Click on the cluster containing your service
  4. Select the Services tab and click on the affected service
  5. Review the current task set configuration under the Task sets section
  6. Create a new task set with public IP assignment disabled:
    • Use the AWS CLI or infrastructure-as-code (see sections below)
    • Set AssignPublicIp to DISABLED in the network configuration
  7. Once the new task set is stable and serving traffic, delete the old task set

Important: Task sets require the service to use the EXTERNAL deployment controller. If your service uses the standard ECS deployment controller, see the related check ecs_service_no_assign_public_ip instead.

AWS CLI

List current task sets to identify the affected one:

aws ecs describe-task-sets \
    --cluster <your-cluster-name> \
    --service <your-service-name> \
    --region us-east-1

Create a new task set with public IP disabled:

aws ecs create-task-set \
    --cluster <your-cluster-name> \
    --service <your-service-name> \
    --task-definition <your-task-definition> \
    --network-configuration "awsvpcConfiguration={subnets=[subnet-xxxxxxxx,subnet-yyyyyyyy],securityGroups=[sg-xxxxxxxx],assignPublicIp=DISABLED}" \
    --scale value=100,unit=PERCENT \
    --region us-east-1

After the new task set is stable, delete the old one:

aws ecs delete-task-set \
    --cluster <your-cluster-name> \
    --service <your-service-name> \
    --task-set <old-task-set-id> \
    --region us-east-1

Replace the placeholders:

  • <your-cluster-name> - Your ECS cluster name or ARN
  • <your-service-name> - Your ECS service name or ARN
  • <your-task-definition> - Your task definition family:revision or ARN
  • subnet-xxxxxxxx - Your private subnet IDs
  • sg-xxxxxxxx - Your security group IDs
  • <old-task-set-id> - The ID of the task set to remove
CloudFormation

Use this CloudFormation template to create an ECS task set with public IP assignment disabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: ECS Task Set with public IP disabled

Parameters:
  ClusterName:
    Type: String
    Description: Name of the ECS cluster
  ServiceName:
    Type: String
    Description: Name of the ECS service
  TaskDefinitionArn:
    Type: String
    Description: ARN of the task definition
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: List of subnet IDs for the task set
  SecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: List of security group IDs

Resources:
  ECSTaskSet:
    Type: AWS::ECS::TaskSet
    Properties:
      Cluster: !Ref ClusterName
      Service: !Ref ServiceName
      TaskDefinition: !Ref TaskDefinitionArn
      LaunchType: FARGATE
      NetworkConfiguration:
        AwsVpcConfiguration:
          AssignPublicIp: DISABLED
          Subnets: !Ref SubnetIds
          SecurityGroups: !Ref SecurityGroupIds
      Scale:
        Unit: PERCENT
        Value: 100

The key setting is AssignPublicIp: DISABLED in the AwsVpcConfiguration section.

Terraform

Use this Terraform configuration to create an ECS task set with public IP assignment disabled:

variable "cluster_arn" {
  description = "ARN of the ECS cluster"
  type        = string
}

variable "service_arn" {
  description = "ARN of the ECS service"
  type        = string
}

variable "task_definition_arn" {
  description = "ARN of the task definition"
  type        = string
}

variable "subnet_ids" {
  description = "List of subnet IDs for the task set"
  type        = list(string)
}

variable "security_group_ids" {
  description = "List of security group IDs"
  type        = list(string)
}

resource "aws_ecs_task_set" "main" {
  cluster         = var.cluster_arn
  service         = var.service_arn
  task_definition = var.task_definition_arn
  launch_type     = "FARGATE"

  network_configuration {
    subnets          = var.subnet_ids
    security_groups  = var.security_group_ids
    assign_public_ip = false
  }

  scale {
    unit  = "PERCENT"
    value = 100
  }
}

The key setting is assign_public_ip = false in the network_configuration block.

Verification

After creating the new task set, verify the configuration:

  1. In the ECS console, navigate to your service and check the Task sets section
  2. Confirm the new task set shows AssignPublicIp: DISABLED
  3. Verify tasks are running successfully without public IP addresses
CLI verification
aws ecs describe-task-sets \
    --cluster <your-cluster-name> \
    --service <your-service-name> \
    --region us-east-1 \
    --query 'taskSets[*].networkConfiguration.awsvpcConfiguration.assignPublicIp'

The output should show DISABLED for all task sets.

Additional Resources

Notes

  • Task sets vs services: Task sets are only used with the EXTERNAL deployment controller. Most ECS services use the standard ECS deployment controller and manage tasks directly through the service configuration.
  • Private subnets: When disabling public IP assignment, ensure your tasks are deployed in private subnets with appropriate routing (NAT Gateway or VPC endpoints) if they need outbound internet access.
  • Load balancers: For tasks that need to receive inbound traffic, place them behind an Application Load Balancer or Network Load Balancer instead of using public IPs.
  • Service discovery: Consider using AWS Cloud Map for service-to-service communication instead of relying on public endpoints.