Ensure ECS task definition variables do not expose secrets

Error: ECS task definition variables expose secrets

Bridgecrew Policy ID: BC_AWS_SECRETS_4
Severity: HIGH

ECS task definition variables expose secrets


ECS task definition variables are metadata definitions, which usually contain small configurations that define the ECS cluster execution parameters. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and can't be encrypted.

We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.

Fix - Runtime


ECS enables storing sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters. For additional guidance, see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html.

CLI Command

To see the secret, run the following CLI command:

aws ecs describe-task-definition 
--region <REGION> 
--task-definition <TASK_DEFINITION_NAME> 
--query taskDefinition.containerDefinitions[*].environment