---
title: ECS services should not be assigned public IP addresses
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > ECS services should not be assigned public IP
  addresses
---

# ECS services should not be assigned public IP addresses

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-ecs-services-assigned-with-public-ip-address` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html)

### Description{% #description %}

Amazon ECS services should not be assigned public IP addresses. Attaching public IPs exposes tasks directly to the internet, increasing the attack surface and the risk of unauthorized access.

For Ansible tasks using the `community.aws.ecs_service` or `ecs_service` modules, the `network_configuration.assign_public_ip` property must be defined and set to `false`. Tasks with `assign_public_ip: true` are flagged. If services require outbound internet access, use private subnets with a NAT Gateway or expose services via a load balancer instead of assigning public IPs.

Secure configuration example:

```yaml
- name: Create ECS service with no public IP
  community.aws.ecs_service:
    name: my-service
    cluster: my-cluster
    task_definition: my-task:1
    network_configuration:
      subnets:
        - subnet-0123456789abcdef0
      security_groups:
        - sg-0123456789abcdef0
      assign_public_ip: false
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: negative1
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Create ECS service with network configuration
      community.aws.ecs_service:
        state: present
        name: example-public-ip-service
        cluster: my-ecs-cluster
        task_definition: my-task-def:1
        desired_count: 2
        launch_type: FARGATE
        network_configuration:
          subnets:
            - subnet-aaaa1111
            - subnet-bbbb2222
          security_groups:
            - sg-cccc3333
          assign_public_ip: false
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: positive1
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Create ECS service with network configuration
      community.aws.ecs_service:
        state: present
        name: example-public-ip-service
        cluster: my-ecs-cluster
        task_definition: my-task-def:1
        desired_count: 2
        launch_type: FARGATE
        network_configuration:
          subnets:
            - subnet-aaaa1111
            - subnet-bbbb2222
          security_groups:
            - sg-cccc3333
          assign_public_ip: true
```