AWSOverview
Amazon Elastic Container Service (ECS) task definitions are JSON files that describe how a Docker container should be launched within an ECS cluster.
This control verifies whether the environment parameter of container in an Amazon ECS task definition includes certain key-value pairs (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA). It's important to note that this control does not consider environmental variables passed from other sources like Amazon S3. Additionally, this control only evaluates the in-use (RUNNING Task) revision of an Amazon ECS task definition.
Remediation guidance
In AWS, you can safely pass secrets to a task definition in by using AWS Secrets Manager or AWS Systems Manager Parameter Store. These services provide secure storage and management of sensitive information, including API keys, passwords, and database credentials. Here's how you can pass secrets to a task definition:
- Store the Secrets: Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store your secrets. These services encrypt the secrets at rest and provide access controls to restrict who can retrieve the secrets.
- Grant Access: Configure the necessary permissions to allow your ECS task or service to access the stored secrets. This typically involves creating an IAM role with appropriate permissions to access the secret values from Secrets Manager or Parameter Store.
- Update Task Definition: Modify your task definition to include references to the secrets stored in Secrets Manager or Parameter Store. Instead of hard-coding the secret values directly in the task definition, you use placeholders or environment variables to reference the secrets' ARNs or names.
- Configure Task Execution Role: Ensure that your ECS task execution role (the role assumed by the ECS agent on the EC2 instances) has the necessary permissions to retrieve the secret values from Secrets Manager or Parameter Store.
- Deploy and Run Tasks: Launch your tasks or services using the updated task definition. During runtime, the ECS agent will automatically retrieve the secret values from Secrets Manager or Parameter Store and inject them as environment variables or files into the running container.
The following is a snippet of a task definition showing the format when referencing the full text of a Secrets Manager secret.
{
"containerDefinitions": [{
"secrets": [{
"name": "environment_variable_name",
"valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"
}]
}]
}
For more details refer to AWS documentation
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Check if secrets are passed as ENV vars on ECS Task Definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
task_NOT: null,
containerSpecs_SOME: {
envEntries_SOME: {
key_IN: [
"AWS_ACCESS_KEY_ID"
"AWS_SECRET_ACCESS_KEY"
"ECS_ENGINE_AUTH_DATA"
]
}
}
}
) {...AssetFragment}
}
