ECS Service task has network mode different to awsvpc

ID

aws_ecs_task_network_mode

Severity

low

Vendor

AWS

Resource

Network

Tags

reachable

Description

ECS Service task has network mode different to awsvpc. Using the awsvpc network mode simplifies container networking, you have more control over how containerized applications communicate with each other and other services within your VPCs. The awsvpc network mode also provides greater security for your containers by enabling you to use security groups and network monitoring tools at a more granular level within your tasks. Because each task gets its own elastic network interface (ENI), you can also use other Amazon EC2 networking features such as VPC Flow Logs to monitor traffic to and from your tasks.

To fix it you must configure network_mode=awsvpc.

Learn more about this topic at AWS ECS Tasks networking.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create task definition
      community.aws.ecs_taskdefinition:
        family: nginx
        containers:
        - name: nginx
          essential: true
          image: "nginx"
          portMappings:
          - containerPort: 8080
            hostPort: 8080
        launch_type: FARGATE
        cpu: 512
        memory: 1024
        state: present

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create task definition
      community.aws.ecs_taskdefinition:
        family: nginx
        containers:
        - name: nginx
          essential: true
          image: "nginx"
          portMappings:
          - containerPort: 8080
            hostPort: 8080
        launch_type: FARGATE
        cpu: 512
        memory: 1024
        state: present
        network_mode: awsvpc