---
title: ECS task definition network mode not recommended
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > ECS task definition network mode not
  recommended
---

# ECS task definition network mode not recommended

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-ecs-task-definition-network-mode-not-recommended` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-networkmode)

### Description{% #description %}

Amazon ECS task definitions should use `NetworkMode` set to `awsvpc` so each task receives its own elastic network interface and can be protected by VPC security groups. This enables per-task network isolation and reduces the blast radius of compromised containers.

In CloudFormation, the `AWS::ECS::TaskDefinition` resource's `NetworkMode` property must be defined and set to `awsvpc`. If `NetworkMode` is undefined, it defaults to `bridge`. Resources missing the property or with any other value (for example, `bridge` or `host`) will be flagged because they cannot leverage task-level security groups.

Secure configuration example:

```yaml
MyTaskDefinition:
  Type: AWS::ECS::TaskDefinition
  Properties:
    Family: my-task
    NetworkMode: awsvpc
    ContainerDefinitions:
      - Name: my-container
        Image: nginx:latest
        Essential: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  taskdefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      NetworkMode: awsvpc
      ContainerDefinitions:
        - Name:
            Ref: "AppName"
          MountPoints:
            - SourceVolume: "my-vol"
              ContainerPath: "/var/www/my-vol"
          Image: "amazon/amazon-ecs-sample"
          Cpu: 256
          PortMappings:
            - ContainerPort:
                Ref: "AppContainerPort"
              HostPort:
                Ref: "AppHostPort"
          EntryPoint:
            - "/usr/sbin/apache2"
            - "-D"
            - "FOREGROUND"
          HealthCheck:
            Command:
              - CMD-SHELL
              - curl -f http://localhost:8080/ || exit 1
            Interval: 30
            Retries: 3
            StartPeriod: 1
            Timeout: 5
          Memory: 512
          Essential: true
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  taskdefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      NetworkMode: none
      ContainerDefinitions:
        - Name:
            Ref: "AppName"
          MountPoints:
            - SourceVolume: "my-vol"
              ContainerPath: "/var/www/my-vol"
          Image: "amazon/amazon-ecs-sample"
          Cpu: 256
          PortMappings:
            - ContainerPort:
                Ref: "AppContainerPort"
              HostPort:
                Ref: "AppHostPort"
          EntryPoint:
            - "/usr/sbin/apache2"
            - "-D"
            - "FOREGROUND"
          Memory: 512
          Essential: true
```