diff --git a/lib/ansible/modules/cloud/amazon/ecs_service.py b/lib/ansible/modules/cloud/amazon/ecs_service.py
index 52879bba2e7..90c42b72371 100644
--- a/lib/ansible/modules/cloud/amazon/ecs_service.py
+++ b/lib/ansible/modules/cloud/amazon/ecs_service.py
@@ -100,10 +100,21 @@ options:
     network_configuration:
         description:
           - network configuration of the service. Only applicable for task definitions created with C(awsvpc) I(network_mode).
-          - I(network_configuration) has two keys, I(subnets), a list of subnet IDs to which the task is attached and I(security_groups),
-            a list of group names or group IDs for the task
           - assign_public_ip requires botocore >= 1.8.4
-        version_added: 2.6
+        suboptions:
+          subnets:
+            description:
+              - A list of subnet IDs to associate with the task
+            version_added: 2.6
+          security_groups:
+            description:
+              - A list of security group names or group IDs to associate with the task
+            version_added: 2.6
+          assign_public_ip:
+            description:
+              - Whether the task's elastic network interface receives a public IP address. This option requires botocore >= 1.8.4.
+            choices: ["ENABLED", "DISABLED"]
+            version_added: 2.7
     launch_type:
         description:
           - The launch type on which to run your service
@@ -312,11 +323,11 @@ class EcsServiceManager:
 
     def format_network_configuration(self, network_config):
         result = dict()
-        if 'subnets' in network_config:
+        if network_config['subnets'] is not None:
             result['subnets'] = network_config['subnets']
         else:
             self.module.fail_json(msg="Network configuration must include subnets")
-        if 'security_groups' in network_config:
+        if network_config['security_groups'] is not None:
             groups = network_config['security_groups']
             if any(not sg.startswith('sg-') for sg in groups):
                 try:
@@ -325,10 +336,11 @@ class EcsServiceManager:
                 except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
                     self.module.fail_json_aws(e, msg="Couldn't look up security groups")
             result['securityGroups'] = groups
-        if 'assign_public_ip' in network_config and self.module.botocore_at_least('1.8.4'):
-            result['assign_public_ip'] = 'assign_public_ip'
-        else:
-            self.module.fail_json(msg='botocore needs to be version 1.8.4 or higher to use assign_public_ip in network_configuration')
+        if network_config['assign_public_ip'] is not None:
+            if self.module.botocore_at_least('1.8.4'):
+                result['assignPublicIp'] = network_config['assign_public_ip']
+            else:
+                self.module.fail_json(msg='botocore needs to be version 1.8.4 or higher to use assign_public_ip in network_configuration')
         return dict(awsvpcConfiguration=result)
 
     def find_in_array(self, array_of_services, service_name, field_name='serviceArn'):
@@ -446,7 +458,11 @@ def main():
         deployment_configuration=dict(required=False, default={}, type='dict'),
         placement_constraints=dict(required=False, default=[], type='list'),
         placement_strategy=dict(required=False, default=[], type='list'),
-        network_configuration=dict(required=False, type='dict'),
+        network_configuration=dict(required=False, type='dict', options=dict(
+            subnets=dict(type='list'),
+            security_groups=dict(type='list'),
+            assign_public_ip=dict(choices=['ENABLED', 'DISABLED']),
+        )),
         launch_type=dict(required=False, choices=['EC2', 'FARGATE'])
     ))
 
diff --git a/test/integration/targets/ecs_cluster/playbooks/network_assign_public_ip_fail.yml b/test/integration/targets/ecs_cluster/playbooks/network_assign_public_ip_fail.yml
index 92352bba858..a6c83f2b4d4 100644
--- a/test/integration/targets/ecs_cluster/playbooks/network_assign_public_ip_fail.yml
+++ b/test/integration/targets/ecs_cluster/playbooks/network_assign_public_ip_fail.yml
@@ -58,9 +58,9 @@
             network_configuration:
               subnets:
                 - subnet-abcd1234
-              groups:
+              security_groups:
                 - sg-abcd1234
-              assign_public_ip: true
+              assign_public_ip: ENABLED
             state: present
             <<: *aws_connection_info
           register: ecs_service_creation_vpc
diff --git a/test/integration/targets/ecs_cluster/playbooks/network_fail.yml b/test/integration/targets/ecs_cluster/playbooks/network_fail.yml
index 266ed3095a4..72c2f8876e7 100644
--- a/test/integration/targets/ecs_cluster/playbooks/network_fail.yml
+++ b/test/integration/targets/ecs_cluster/playbooks/network_fail.yml
@@ -68,7 +68,7 @@
             network_configuration:
               subnets:
                 - subnet-abcd1234
-              groups:
+              security_groups:
                 - sg-abcd1234
             state: present
             <<: *aws_connection_info
@@ -90,7 +90,7 @@
             network_configuration:
               subnets:
                 - subnet-abcd1234
-              groups:
+              security_groups:
                 - sg-abcd1234
             launch_type: FARGATE
             state: present
@@ -132,7 +132,7 @@
             network_configuration:
               subnets:
                 - subnet-abcd1234
-              groups:
+              security_groups:
                 - sg-abcd1234
             <<: *aws_connection_info
           register: ecs_task_creation_vpc
diff --git a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
index ccb23deb3f5..d128811a679 100644
--- a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
+++ b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
@@ -629,9 +629,15 @@
           subnets: "{{ setup_subnet.results | json_query('[].subnet.id') }}"
           security_groups:
             - '{{ setup_sg.group_id }}'
+          assign_public_ip: ENABLED
         <<: *aws_connection_info
       register: ecs_fargate_service_network_with_awsvpc
 
+    - name: assert that public IP assignment is enabled
+      assert:
+        that:
+          - 'ecs_fargate_service_network_with_awsvpc.service.networkConfiguration.awsvpcConfiguration.assignPublicIp == "ENABLED"'
+
     # ============================================================
     # End tests for Fargate
 
diff --git a/test/integration/targets/ecs_cluster/runme.sh b/test/integration/targets/ecs_cluster/runme.sh
index aebbb5e4124..1d968957a56 100755
--- a/test/integration/targets/ecs_cluster/runme.sh
+++ b/test/integration/targets/ecs_cluster/runme.sh
@@ -28,5 +28,5 @@ ansible-playbook -i ../../inventory -e @../../integration_config.yml -e @../../c
 # Run full test suite
 virtualenv --system-site-packages --python "${PYTHON}" "${MYTMPDIR}/botocore-recent"
 source "${MYTMPDIR}/botocore-recent/bin/activate"
-$PYTHON -m pip install 'botocore>=1.8.0' boto3
+$PYTHON -m pip install 'botocore>=1.8.4' boto3
 ansible-playbook -i ../../inventory -e @../../integration_config.yml -e @../../cloud-config-aws.yml -v playbooks/full_test.yml "$@"