Exposure Scanner Scan My Account
Exposure Scanner / Amazon ECS

ECS Container Exposure

Are your ECS containers accessible from the internet through misconfigured networking?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-api-service
ECS Fargate service has assignPublicIp ENABLED in a public subnet with permissive security group
High
worker-processing-svc
ECS task security group allows inbound traffic on port 8080 from 0.0.0.0/0
Medium
monitoring-sidecar
ECS service exposes container port 9090 (metrics) via public IP assignment

What does Amazon ECS public exposure mean?

ECS tasks using awsvpc networking mode receive their own network interface. If placed in a public subnet with a public IP and permissive security groups, your containers are directly accessible from the internet.

Why it matters

Containers often run microservices that were designed for internal communication. Direct internet exposure bypasses service mesh security, API gateways, and load balancer rules that would normally protect them.

How to check manually

  1. 1Check ECS task definitions for network mode and public IP assignment
  2. 2Review service configurations for subnet placement (public vs private)
  3. 3Check associated security groups for inbound rules from 0.0.0.0/0
  4. 4Verify that tasks intended to be internal are behind a private load balancer

Quick check with AWS CLI

Find ECS services with public IP assignment enabled
aws ecs list-services --cluster YOUR_CLUSTER --query "serviceArns" --output text | xargs -I {} aws ecs describe-services --cluster YOUR_CLUSTER --services {} --query "services[].networkConfiguration.awsvpcConfiguration.assignPublicIp"
List ECS tasks with public IPs in a cluster
aws ecs list-tasks --cluster YOUR_CLUSTER --query "taskArns" --output text | xargs aws ecs describe-tasks --cluster YOUR_CLUSTER --tasks --query "tasks[].attachments[].details[?name=='publicIPv4Address'].value"
Check security groups attached to ECS services
aws ecs describe-services --cluster YOUR_CLUSTER --services YOUR_SERVICE --query "services[].networkConfiguration.awsvpcConfiguration.securityGroups"

Common misconfigurations

Tasks assigned public IPs in a public subnet
Security groups allowing direct access to container ports
Service discovery endpoints accessible from outside the VPC
Fargate tasks in public subnets without a NAT gateway alternative

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon EC2
Are your EC2 instances accessible from the internet through open security groups?
Elastic Load Balancer
Are your load balancers exposing internal services to the internet?
Amazon VPC
Does your VPC configuration allow unintended internet access?