Skill323 repo starsupdated today

cis-aws-compute-3.2

This Claude Code skill validates that Amazon ECS services have public IP assignment disabled to prevent unintended container exposure to the internet. Use this skill when auditing ECS cluster configurations for network security compliance and when implementing controls to restrict direct public access to containerized applications.

View source Repository: CyberStrike

Install in Claude Code

Copy

git clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-3.2 && cp -r /tmp/cis-aws-compute-3.2/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-3.2 ~/.claude/skills/cis-aws-compute-3.2

Then start a new Claude Code session; the skill loads automatically.

Definition

SKILL.md

# Ensure 'assignPublicIp' is set to 'DISABLED' for Amazon ECS services

## Description

Ensure that `assignPublicIp` is set to `DISABLED` for Amazon ECS services, to restrict direct exposure of containers to the public internet.

## Rationale

Enabling public IP assignment could expose container application servers to unintended or unauthorized access.

## Impact

Disabling `assignPublicIp` introduces administrative, operational, and potential cost overhead due to the need to configure and maintain private networking and associated resources.

## Audit Procedure

### Using AWS Console

1. Login to the ECS console using https://console.aws.amazon.com/ecs/.
2. In the left panel, click `Clusters`.
3. Click the name of a cluster.
4. Under `Services`, click the name of a service.
5. Click `Configuration and networking`.
6. Under `Network configuration`, ensure `Auto-assign public IP` is set to `Turned off`.
7. Repeat steps 1-6 for each ECS cluster and service.

### Using AWS CLI

Run the following command to list clusters:

```
aws ecs list-clusters
```

Run the following command to list services in a cluster:

```
aws ecs list-services --cluster <cluster-arn>
```

Run the following command to view the details of a service:

```
aws ecs describe-services --cluster <cluster-arn> --services <service-arn>
```

Under `networkConfiguration` > `awsvpcConfiguration`, ensure `assignPublicIp` is set to `DISABLED`.
Repeat for each cluster and service.

## Expected Result

`assignPublicIp` should be set to `DISABLED` under `networkConfiguration` > `awsvpcConfiguration` for all ECS services.

## Remediation

### Using AWS Console

No specific console remediation steps provided. Use the CLI remediation below.

### Using AWS CLI

For each service requiring remediation, run the following command to set `assignPublicIp` to `DISABLED`:

```
aws ecs update-service --cluster <cluster-arn> --service <service-arn> --network-configuration '{"awsvpcConfiguration":{"subnets":["<subnet-id>"],"securityGroups":["<security-group-id>"],"assignPublicIp":"DISABLED"}}'
```

## Default Value

By default, `assignPublicIp` is set to `ENABLED`.

## References

1. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/list-clusters.html
2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/list-services.html
3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-services.html
4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/update-service.html
5. https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_AwsVpcConfiguration.html

## CIS Controls

| Controls Version | Control                                               | IG 1 | IG 2 | IG 3 |
| ---------------- | ----------------------------------------------------- | ---- | ---- | ---- |
| v8               | 3.3 Configure Data Access Control Lists               | x    | x    | x    |
| v7               | 14.6 Protect Information through Access Control Lists | x    | x    | x    |

## Profile

Level 1 | Automated