Ensure ECS task definition variables do not expose secrets
Error: ECS task definition variables expose secrets
Bridgecrew Policy ID: BC_AWS_SECRETS_4
ECS task definition variables expose secrets
ECS task definition variables are metadata definitions, which usually contain small configurations that define the ECS cluster execution parameters. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and can't be encrypted.
We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.
Fix - Runtime
ECS enables storing sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters. For additional guidance, see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html.
To see the secret, run the following CLI command:
aws ecs describe-task-definition --region <REGION> --task-definition <TASK_DEFINITION_NAME> --query taskDefinition.containerDefinitions[*].environment
Updated almost 2 years ago