🛡️ AWS ECS Task Definition passes secrets as container environment variables🟢

• Contextual name: 🛡️ Task Definition passes secrets as container environment variables🟢
• ID: /ce/ca/aws/ecs/task-definition-secrets-as-environment-variables
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS ECS Task Definition
  • 🔌 AWS ECS Container Definition - object.extracts.yaml
  • 🔌 AWS ECS Task Definition - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [ECS.8] Secrets should not be passed as container environment variables

Description

Open File

Description

This policy identifies AWS ECS Task Definitions that contain environment variables potentially holding sensitive information. It inspects the environment parameters within container definitions for variable names that include keywords such as PASSWORD, SECRET, API_KEY, ACCESS_KEY, or TOKEN.

Passing secrets as plaintext environment variables is insecure because these values are visible to anyone with access to the ECS Task Definition, via the AWS Console, CLI, or API, and may also appear in CloudFormation templates, logs, or audit records.

Rationale

Sensitive data should never be hardcoded directly into application manifests or configuration files. Environment variables are frequently exposed in logs, dashboards, or version histories. Changes to task definitions create new immutable revisions, potentially preserving plaintext secrets indefinitely.

AWS offers secure alternatives for handling sensitive values, such as AWS Secrets Manager and AWS Systems Manager Parameter Store, both of which allow applications to retrieve secrets at runtime without embedding them directly in task definitions.

... see more

Remediation

Open File

Remediation

Move Sensitive Data to AWS Secrets Manager

Using the AWS CLI

Sensitive data should be stored securely and referenced in ECS Task Definitions via the secrets parameter rather than embedding it in environment variables.

1. Store the secret in AWS Secrets Manager

   aws secretsmanager create-secret \
       --name "{{app/db_password}}" \
       --secret-string "{{secret-password}}"

2. Retrieve the existing task definition

   aws ecs describe-task-definition \
       --task-definition {{family-or-full-arn}} \
       --query 'taskDefinition' > task-def.json

3. Update task-def.json

   Move the sensitive entry from environment to secrets.

   Before:

   "environment": [
       { "name": "{{DB_PASSWORD}}", "value": "{{secret-password}}" }
   ]

   After:

   "environment": [],
   "secrets": [
       { "name": "{{DB_PASSWORD}}", "valueFrom": "{{arn:aws:ssm:region:account:parameter/app/db_password}}" }
   ]

4. Register the updated task definition

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.8] Secrets should not be passed as container environment variables			1		no data
💼 Cloudaware Framework → 💼 Secure Access			74		no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47		no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46		no data
💼 PCI DSS v4.0.1 → 💼 8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.			1		no data
💼 PCI DSS v4.0 → 💼 8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.			1		no data