AWS AmazonECS documentation change
Summary
Added guidance about default VPC configurations, public/private subnets, and security group rule management for container instances.
Security assessment
Added network security best practices documentation about subnet routing and security groups. While related to security configuration, there's no indication this addresses a specific vulnerability or incident.
Diff
diff --git a/AmazonECS/latest/developerguide/container-instance-eni.md b/AmazonECS/latest/developerguide/container-instance-eni.md index cd51ed104..40ede4e3f 100644 --- a/AmazonECS/latest/developerguide/container-instance-eni.md +++ b/AmazonECS/latest/developerguide/container-instance-eni.md @@ -50,0 +51,2 @@ Amazon ECS emits container instance state change events which you can monitor fo +A default VPC comes with a public subnet in each Availability Zone, an internet gateway, and settings to enable DNS resolution. The subnet is a public subnet, because the main route table sends the subnet's traffic that is destined for the internet to the internet gateway. You can make a default subnet into a private subnet by removing the route from the destination 0.0.0.0/0 to the internet gateway. However, if you do this, no container instance running in that subnet can access the internet. You can add or delete security group rules to control the traffic into and out of your subnets. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) in the _Amazon Virtual Private Cloud User Guide_. +