AWS AmazonECS medium security documentation change
Summary
Restructured documentation with clearer configuration steps for Application Load Balancer and Service Connect TLS setup. Added explicit TLS 1.3 policy example (ELBSecurityPolicy-TLS13-1-2-2021-06) and emphasized 'awsvpc' network mode requirement.
Security assessment
The change explicitly enforces TLS 1.3 security policies and warns against insecure configurations like using 'bridge' network mode for HTTPS health checks. Specifying a modern TLS policy (TLS 1.3) and network isolation through 'awsvpc' mode addresses potential security risks from outdated encryption or network exposure.
Diff
diff --git a/AmazonECS/latest/developerguide/service-connect-tls.md b/AmazonECS/latest/developerguide/service-connect-tls.md index b8d7b4a9e..f25ab6bb4 100644 --- a//AmazonECS/latest/developerguide/service-connect-tls.md +++ b//AmazonECS/latest/developerguide/service-connect-tls.md @@ -30 +30 @@ Only inbound and outbound traffic passing though the Amazon ECS agent is encrypt -You can use Service Connect with Application Load Balancer health checks and TLS 1.3 encryption. Configure the following parameters for Service Connect: +You can use Service Connect with Application Load Balancer health checks and TLS 1.3 encryption. @@ -32 +32 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * Configure the Application Load Balancer for the following: +### Application Load Balancer configuration @@ -34 +34 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * Use any TLS 1.3 security policy. For more information, see [Security policies for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html). +Configure the Application Load Balancer with the following settings: @@ -36 +36 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * A target group that uses the HTTPS protocol and is attached to a TLS listener. + * Configure a TLS listener with a TLS 1.3 security policy (such as `ELBSecurityPolicy-TLS13-1-2-2021-06`). For more information, see [Security policies for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html). @@ -38 +38 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * The health checks are set to the Container Port. + * Create a target group with the following settings: @@ -40 +40 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * A service with the following configuration: + * Set the protocol to HTTPS @@ -42 +42 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * Uses the `awsvpc` mode. + * Attach the target group to the TLS listener @@ -44 +44 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * Has Service Connect enabled. + * Configure the health check port to match your Service Connect service's container port @@ -46 +45,0 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * The load balancer configuration set to use the target group configured on your Application Load Balancer and the container port set to the same port as your service. @@ -48 +46,0 @@ You can use Service Connect with Application Load Balancer health checks and TLS - * Service can't be configured with an `ingressPortOverride`. For more information, see [ServiceConnectService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ServiceConnectService.html) in the _Amazon Elastic Container Service API Reference_. @@ -50,0 +49 @@ You can use Service Connect with Application Load Balancer health checks and TLS +### Service Connect configuration @@ -51,0 +51 @@ You can use Service Connect with Application Load Balancer health checks and TLS +Configure a service with the following settings: @@ -53 +53 @@ You can use Service Connect with Application Load Balancer health checks and TLS -Considerations: + * Configure the service to use `awsvpc` network mode, as `bridge` network mode is not supported. @@ -55 +55,20 @@ Considerations: - * Service Connect with TLS does not support Bridge networking mode. Only `awsvpc` networking mode is supported. + * Enable Service Connect for the service. + + * Set up the load balancer configuration with the following settings: + + * Specify the target group you configured for your Application Load Balancer + + * Set the container port to match the Service Connect TLS service's container port + + * Avoid setting `ingressPortOverride` for the service. For more information, see [ServiceConnectService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ServiceConnectService.html) in the _Amazon Elastic Container Service API Reference_. + + + + +### Considerations + +Consider the following when using Application Load Balancer, TLS and Service Connect: + + * Use `awsvpc` network mode instead of `bridge` network mode for HTTPS health checks when using Service Connect with TLS encryption. HTTP health checks will continue to work with `bridge` mode. + + * Configure the target group health check port to match the Service Connect service's container port, not the default HTTPS port (443).