Data at risk

ECS task definition passes a secret as a container environment variable

Platform(s)
Compliance Frameworks

Description

Amazon Elastic Container - ECS is a highly scalable, fast container management service that makes running, stopping, and managing containers on a cluster simple. A task definition defines your containers, which you use to run individual tasks or tasks within a service. It was detected that the ECS Task Definition {AwsEcsTaskDefinition} has an environment variable equals to 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', or 'ECS_ENGINE_AUTH_DATA' in Container Definition {AwsEcsTaskDefinition.ContainerDefinitions}. It is advised to use the Secrets Manager or Parameter Store to store secrets and credentials instead of passing them into your container instances or hard coding them into your code.

  • Recommended Mitigation

    It is recommended to remove the environment variable and use Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve the value at runtime.

Need help?

Get a free Security Risk Assessment. Start today

See Orca in action See Orca in action-> View a 10 minute recorded demo or sign up for a personalized one-on-one walk-through.