Data at risk

ECS task definition passes a secret as a container environment variable


Amazon Elastic Container - ECS is a highly scalable, fast container management service that makes running, stopping, and managing containers on a cluster simple. A task definition defines your containers, which you use to run individual tasks or tasks within a service. It was detected that the ECS Task Definition {AwsEcsTaskDefinition} has an environment variable equals to 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', or 'ECS_ENGINE_AUTH_DATA' in Container Definition {AwsEcsTaskDefinition.ContainerDefinitions}. It is advised to use the Secrets Manager or Parameter Store to store secrets and credentials instead of passing them into your container instances or hard coding them into your code.
  • Recommended Mitigation

    It is recommended to remove the environment variable and use Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve the value at runtime.