Skip to main content

🧠 AWS ECS Task Definition passes secrets as container environment variables - prod.logic.yaml🟒

Uses​

Test Results πŸŸ’β€‹

Generated at: 2025-12-17T01:30:47.042242193Z Open

ResultIdCondition IndexCondition TextRuntime Error
🟒test1βœ”οΈ 99βœ”οΈ isDisappeared(CA10__disappearanceTime__c)βœ”οΈ null
🟒test2βœ”οΈ 199βœ”οΈ extract('CA10__status__c') != 'ACTIVE'βœ”οΈ null
🟒test3βœ”οΈ 299βœ”οΈ CA10__AWS_ECS_Container_Definitions__r.has(INCOMPLIANT)βœ”οΈ null
🟒test4βœ”οΈ 300βœ”οΈ otherwiseβœ”οΈ null

Generation Bundle​

FileMD5
Open/ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/policy.yaml5BC3A77939E40C9A7B747039E348FC05
Open/ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/prod.logic.yaml0A77A073C306DC0F043FB74D0F1C9D55
Open/ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/test-data.json8181752D434204871F7C07B4341D8834
Open/types/CA10__CaAwsEcsContainerDefinition__c/object.extracts.yamlCC5A82BF4FFAB345C4215DD75B708F18
Open/types/CA10__CaAwsEcsTaskDefinition__c/object.extracts.yaml5F3958CAB2B0FF7CE5C1D38F940B5729

Available Commands​

repo-manager policies generate FULL /ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/ecs/task-definition-secrets-as-environment-variables/prod.logic.yaml

Content​

Open File

---
inputType: "CA10__CaAwsEcsTaskDefinition__c"
testData:
  - file: "test-data.json"
importExtracts:
  - file: "/types/CA10__CaAwsEcsTaskDefinition__c/object.extracts.yaml"
  - file: "/types/CA10__CaAwsEcsContainerDefinition__c/object.extracts.yaml"
conditions:
  - status: "INAPPLICABLE"
    currentStateMessage: "The Task Definition is not active."
    check:
      NOT_EQUAL:
        left:
          EXTRACT: "CA10__status__c"
        right:
          TEXT: "ACTIVE"
  - status: "INCOMPLIANT"
    currentStateMessage: "The Task Definition contains environment variables with\
      \ names indicating sensitive data (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, ECS_ENGINE_AUTH_DATA)."
    remediationMessage: "Move sensitive data to AWS Secrets Manager or SSM Parameter\
      \ Store and reference them using the secrets parameter."
    check:
      RELATED_LIST_HAS:
        status: "INCOMPLIANT"
        relationshipName: "CA10__AWS_ECS_Container_Definitions__r"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "No obvious secrets detected in plaintext environment variables (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, ECS_ENGINE_AUTH_DATA)."
relatedLists:
  - relationshipName: "CA10__AWS_ECS_Container_Definitions__r"
    conditions:
      - status: "INCOMPLIANT"
        currentStateMessage: "The container contains ECS_ENGINE_AUTH_DATA secret in environment variables."
        check:
          CONTAINS:
            arg:
              EXTRACT: "CA10__environment__c"
            search:
              BYTES: "ECS_ENGINE_AUTH_DATA"
      - status: "INCOMPLIANT"
        currentStateMessage: "The container contains PASSWORD secret in environment variables."
        check:
          CONTAINS:
            arg:
              EXTRACT: "CA10__environment__c"
            search:
              BYTES: "PASSWORD"
      - status: "INCOMPLIANT"
        currentStateMessage: "The container contains SECRET secret in environment variables."
        check:
          CONTAINS:
            arg:
              EXTRACT: "CA10__environment__c"
            search:
              BYTES: "SECRET"
      - status: "INCOMPLIANT"
        currentStateMessage: "The container contains API_KEY secret in environment variables."
        check:
          CONTAINS:
            arg:
              EXTRACT: "CA10__environment__c"
            search:
              BYTES: "API_KEY"
      - status: "INCOMPLIANT"
        currentStateMessage: "The container contains ACCESS_KEY secret in environment variables."
        check:
          CONTAINS:
            arg:
              EXTRACT: "CA10__environment__c"
            search:
              BYTES: "ACCESS_KEY"
      - status: "INCOMPLIANT"
        currentStateMessage: "The container contains TOKEN secret in environment variables."
        check:
          CONTAINS:
            arg:
              EXTRACT: "CA10__environment__c"
            search:
              BYTES: "TOKEN"
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "The container does not contain any secrets in environment variables."