I'm trying to setup my ECS Hosts so the outbound rules does not allow the whole world, very similar to this issue. The ideal way would be to point directly to the NAT-gateway but according to Amazon, that is not possible:
Note that security groups cannot be directly associated with a NAT gateway. Instead, customers can use EC2 instance security groups outbound rules to control authorized network destinations or leverage a network ACL associated with the NAT gateway’s subnet to implement subnet-level controls over NAT gateway traffic.
How do I setup a proxy or ACL for the ECS hosts?
This reference architecture should be helpful to you, it contains a CloudFormation template that automatically sets this up for you, so you can learn from the configuration it containers: https://github.com/awslabs/ecs-refarch-cloudformation