Control: AWS ECS services should not have public IP addresses assigned to them automatically
Description
This control checks whether AWS ECS services are configured to automatically assign public IP addresses. This control fails if AssignPublicIP is enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ecs_service_not_publicly_accessibleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ecs_service_not_publicly_accessible --shareSQL
This control uses a named query:
with service_awsvpc_mode_task_definition as ( select a.service_name as service_name, b.task_definition_arn as task_definition from aws_ecs_service as a left join aws_ecs_task_definition as b on a.task_definition = b.task_definition_arn where b.network_mode = 'awsvpc')select a.arn as resource, case when b.service_name is null then 'skip' when network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' then 'ok' else 'alarm' end as status, case when b.service_name is null then a.title || ' task definition not host network mode.' when network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' then a.title || ' not publicly accessible.' else a.title || ' publicly accessible.' end as reason , region, account_idfrom aws_ecs_service as a left join service_awsvpc_mode_task_definition as b on a.service_name = b.service_name;