ECS task definition variables are metadata definitions, which usually contain small configurations that define the ECS cluster execution parameters. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and can't be encrypted.
We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.
ECS enables storing sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters. For additional guidance, see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html.
To see the secret, run the following CLI command:
aws ecs describe-task-definition --region <REGION> --task-definition <TASK_DEFINITION_NAME> --query taskDefinition.containerDefinitions[*].environment
Updated about 2 years ago