AWS AmazonECS high security documentation change
Summary
Added documentation about ALB health checks with TLS 1.3 and network mode requirements
Security assessment
Documents critical security configuration requirements including TLS 1.3 policies and awsvpc network mode enforcement. Incorrect configurations could lead to security vulnerabilities like unencrypted traffic.
Diff
diff --git a/AmazonECS/latest/developerguide/service-connect-tls.md b/AmazonECS/latest/developerguide/service-connect-tls.md index eecbd2a6e..b8d7b4a9e 100644 --- a//AmazonECS/latest/developerguide/service-connect-tls.md +++ b//AmazonECS/latest/developerguide/service-connect-tls.md @@ -5 +5 @@ -AWS Private Certificate Authority certificates and Service ConnectService Connect and Secrets ManagerService Connect and AWS Key Management Service +Service Connect and Application Load Balancer health checksAWS Private Certificate Authority certificates and Service ConnectService Connect and Secrets ManagerService Connect and AWS Key Management Service @@ -27,0 +28,32 @@ Only inbound and outbound traffic passing though the Amazon ECS agent is encrypt +## Service Connect and Application Load Balancer health checks + +You can use Service Connect with Application Load Balancer health checks and TLS 1.3 encryption. Configure the following parameters for Service Connect: + + * Configure the Application Load Balancer for the following: + + * Use any TLS 1.3 security policy. For more information, see [Security policies for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html). + + * A target group that uses the HTTPS protocol and is attached to a TLS listener. + + * The health checks are set to the Container Port. + + * A service with the following configuration: + + * Uses the `awsvpc` mode. + + * Has Service Connect enabled. + + * The load balancer configuration set to use the target group configured on your Application Load Balancer and the container port set to the same port as your service. + + * Service can't be configured with an `ingressPortOverride`. For more information, see [ServiceConnectService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ServiceConnectService.html) in the _Amazon Elastic Container Service API Reference_. + + + + +Considerations: + + * Service Connect with TLS does not support Bridge networking mode. Only `awsvpc` networking mode is supported. + + + +