ECS Task definition has secrets in the container environment in plain text
ID |
aws_ecs_task_container_password |
Severity |
critical |
Vendor |
AWS |
Resource |
Secrets |
Tags |
reachable |
Description
ECS Task definition has secrets in the container environment in plain text. The secrets may be stored in a secrets vault as AWS Secrets Manager secrets.
Learn more about this topic at AWS Tasks definitions environment files.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create task definition
community.aws.ecs_taskdefinition:
family: nginx
containers:
- name: nginx
essential: true
image: "nginx"
environment:
- name: "PORT"
value: "8080"
- name: "ENV_PASS"
value: "Oh oh, we have a problem"
secrets:
# For variables stored in Secrets Manager
- name: "NGINX_HOST"
valueFrom: "arn:aws:secretsmanager:us-west-2:123456789012:secret:nginx/NGINX_HOST"
# For variables stored in Parameter Store
- name: "API_KEY"
valueFrom: "arn:aws:ssm:us-west-2:123456789012:parameter/nginx/API_KEY"
launch_type: FARGATE
cpu: 512
memory: 1GB
state: present
network_mode: awsvpcMitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create task definition
community.aws.ecs_taskdefinition:
family: nginx
containers:
- name: nginx
essential: true
image: "nginx"
environment:
- name: "PORT"
value: "8080"
secrets:
# For variables stored in Secrets Manager
- name: "NGINX_HOST"
valueFrom: "arn:aws:secretsmanager:us-west-2:123456789012:secret:nginx/NGINX_HOST"
# For variables stored in Parameter Store
- name: "API_KEY"
valueFrom: "arn:aws:ssm:us-west-2:123456789012:parameter/nginx/API_KEY"
launch_type: FARGATE
cpu: 512
memory: 1GB
state: present
network_mode: awsvpc