ECS task definition network mode not recommended

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > ECS task definition network mode not recommended

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 9f4a9409-9c60-4671-be96-9716dbf63db1

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

This check ensures that the network_mode attribute in an AWS ECS task definition is set to awsvpc. When network_mode is set to any value other than awsvpc, such as none, the tasks do not leverage the enhanced network security and isolation features provided by AWS VPCs. Without awsvpc, the container tasks may lack granular control over network traffic, security group assignment, and enforcement of network policies, making them more exposed to lateral movement and attacks within the cluster. If left unaddressed, this misconfiguration could lead to unauthorized access or unintended network exposure of container workloads, increasing the risk of compromise.

Compliant Code Examples

resource "aws_ecs_task_definition" "negative1" {
  family                = "service"
  network_mode = "awsvpc"

  volume {
    name      = "service-storage"
    host_path = "/ecs/service-storage"
  }

  placement_constraints {
    type       = "memberOf"
    expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
  }
}

Non-Compliant Code Examples

resource "aws_ecs_task_definition" "positive1" {
  family                = "service"
  network_mode = "none"

  volume {
    name      = "service-storage"
    host_path = "/ecs/service-storage"
  }

  placement_constraints {
    type       = "memberOf"
    expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
  }
}