AWSOverview
This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. A public IP address is an IP address that is reachable from the internet. If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet. Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.
Remediation guidance
To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.
This control fails if AssignPublicIP is ENABLED. This control passes if AssignPublicIP is DISABLED.
For tasks that are hosted on Amazon EC2 instances, the awsvpc network mode doesn't provide task ENIs with public IP addresses. To access the internet, tasks that are hosted on Amazon EC2 instances can be launched in a private subnet that's configured to use a NAT gateway.
To configure VPC and security group settings for your service
-
If you host tasks on EC2 instances, for Cluster VPC, choose the VPC that your instances are in.
-
For Subnets, choose the available subnets for your service task placement.
-
For Security groups, choose a security group was created for your service's tasks. This security group allows HTTP traffic access from the internet (0.0.0.0/0). To edit the name or the rules of this security group or to choose an existing security group, choose Edit and then modify your security group settings.
-
For Auto-assign Public IP, choose whether to have your tasks receive a public IP address. For tasks on Fargate, for the task to pull the container image, it must either use a public subnet and be assigned a public IP address or a private subnet that has a route to the internet or a NAT gateway that can route requests to the internet.
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
ECS services should not have public IP addresses assigned to them automatically
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {hasECSServiceNetworkConfigurations_SOME: { assignPublicIP: true}}) {...AssetFragment}
}
