🟡 Medium  |  Source: AWS Security Blog


AWS has introduced container attribute-based rules in AWS Network Firewall, enabling fine-grained traffic control for containerised workloads running on Amazon EKS and ECS. Security teams can now write firewall rules that reference container-level attributes such as pod labels or task metadata, rather than relying solely on IP addresses or VPC constructs. This is particularly valuable for AI/ML workloads where lateral movement or egress control is critical.

Security Architect’s Take: Review existing Network Firewall rule groups for EKS and ECS environments and consider migrating broad IP-based rules to container attribute-based rules to enforce least-privilege network access at the workload level — particularly for sensitive AI/ML pipelines such as model inference endpoints and JupyterHub instances.

Original advisory: Secure Amazon container workloads using container attribute-based rules in AWS Network Firewall