Why ECS services should not have public IP addresses assigned to them automatically?

0

SecurityHub generates following warning: "ECS.2 ECS services should not have public IP addresses assigned to them automatically".

But why? Our deamon that run on ECS must have access to internet and without public IP address and AssignPublicIp='ENABLED'. it is not possible access Internet. Am I right?

3 回答
0

Ok, but what about ECS task like REST API server that should be visible to Internet? For such tasks I also got "you should not have public IP addresses" warning. In my opinion there we have to suppress "ECS.2 ECS services should not have public IP addresses assigned to them automatically" warning.

已回答 2 年前
  • In that case I think you should then front the api with an ALB or an public api gateway (protected with WAF, inspection of its the case, shield), which then is linked with a private backend in private subnet

0

Hi,

this is due to security reasons as a public IP is exploitable by anyone on the internet.

To mitigate this can follow "Use private subnet with Internet Access" section on this article: https://repost.aws/knowledge-center/ecs-fargate-tasks-private-subnet.

It is a pretty standard practice to place workloads on private subnets, and then use NAT Gateway to allow outbound internet.

Hope it clarifies ;)

profile picture
专家
已回答 2 年前
0

ECS tasks can reside in private subnets that have a route to the internet via a NAT Gateway. This would allow outbound internet traffic without a direct inbound path. This would be the best practices method to reduce security risks associated with tasks having direct public IP addresses.

Here is a link that discussed VPCs with private subnets and NAT Gateway https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html

Hope that helps.

AWS
已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则