--- title: ECS task definition network mode not recommended description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > ECS task definition network mode not recommended --- # ECS task definition network mode not recommended {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-ecs-task-definition-network-mode-not-recommended` **Provider:** AWS **Platform:** CloudFormation **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-networkmode) ### Description{% #description %} Amazon ECS task definitions should use `NetworkMode` set to `awsvpc` so each task receives its own elastic network interface and can be protected by VPC security groups. This enables per-task network isolation and reduces the blast radius of compromised containers. In CloudFormation, the `AWS::ECS::TaskDefinition` resource's `NetworkMode` property must be defined and set to `awsvpc`. If `NetworkMode` is undefined, it defaults to `bridge`. Resources missing the property or with any other value (for example, `bridge` or `host`) will be flagged because they cannot leverage task-level security groups. Secure configuration example: ```yaml MyTaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: my-task NetworkMode: awsvpc ContainerDefinitions: - Name: my-container Image: nginx:latest Essential: true ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: taskdefinition: Type: AWS::ECS::TaskDefinition Properties: NetworkMode: awsvpc ContainerDefinitions: - Name: Ref: "AppName" MountPoints: - SourceVolume: "my-vol" ContainerPath: "/var/www/my-vol" Image: "amazon/amazon-ecs-sample" Cpu: 256 PortMappings: - ContainerPort: Ref: "AppContainerPort" HostPort: Ref: "AppHostPort" EntryPoint: - "/usr/sbin/apache2" - "-D" - "FOREGROUND" HealthCheck: Command: - CMD-SHELL - curl -f http://localhost:8080/ || exit 1 Interval: 30 Retries: 3 StartPeriod: 1 Timeout: 5 Memory: 512 Essential: true ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", "Resources": { "taskdefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "Volumes": [ { "Host": { "SourcePath": "/var/lib/docker/vfs/dir/" }, "Name": "my-vol" } ], "NetworkMode": "awsvpc", "ContainerDefinitions": [ { "EntryPoint": [ "/usr/sbin/apache2", "-D", "FOREGROUND" ], "Memory": 512, "PortMappings": [ { "ContainerPort": { "Ref": "AppContainerPort" }, "HostPort": { "Ref": "AppHostPort" } } ], "MountPoints": [ { "SourceVolume": "my-vol", "ContainerPath": "/var/www/my-vol" } ], "Image": "amazon/amazon-ecs-sample", "Cpu": 256, "HealthCheck": { "Command": [ "CMD-SHELL", "curl -f http://localhost:8080/ || exit 1" ], "Interval": 30, "Retries": 3, "StartPeriod": 1, "Timeout": 5 }, "Essential": true, "Name": { "Ref": "AppName" } } ] } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: taskdefinition: Type: AWS::ECS::TaskDefinition Properties: NetworkMode: none ContainerDefinitions: - Name: Ref: "AppName" MountPoints: - SourceVolume: "my-vol" ContainerPath: "/var/www/my-vol" Image: "amazon/amazon-ecs-sample" Cpu: 256 PortMappings: - ContainerPort: Ref: "AppContainerPort" HostPort: Ref: "AppHostPort" EntryPoint: - "/usr/sbin/apache2" - "-D" - "FOREGROUND" Memory: 512 Essential: true ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", "Resources": { "taskdefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "ContainerDefinitions": [ { "MountPoints": [ { "SourceVolume": "my-vol", "ContainerPath": "/var/www/my-vol" } ], "Image": "amazon/amazon-ecs-sample", "Cpu": 256, "PortMappings": [ { "HostPort": { "Ref": "AppHostPort" }, "ContainerPort": { "Ref": "AppContainerPort" } } ], "EntryPoint": [ "/usr/sbin/apache2", "-D", "FOREGROUND" ], "Memory": 512, "Essential": true, "Name": { "Ref": "AppName" } } ], "Volumes": [ { "Host": { "SourcePath": "/var/lib/docker/vfs/dir/" }, "Name": "my-vol" } ] } } } } ```