Make sure secrets are not passed as container environment variables

In AWS, you can safely pass secrets to a task definition in by using AWS Secrets Manager or AWS Systems Manager Parameter Store. These services provide secure storage and management of sensitive information, including API keys, passwords, and database credentials. Here's how you can pass secrets to a task definition:

1. Store the Secrets: Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store your secrets. These services encrypt the secrets at rest and provide access controls to restrict who can retrieve the secrets.
2. Grant Access: Configure the necessary permissions to allow your ECS task or service to access the stored secrets. This typically involves creating an IAM role with appropriate permissions to access the secret values from Secrets Manager or Parameter Store.
3. Update Task Definition: Modify your task definition to include references to the secrets stored in Secrets Manager or Parameter Store. Instead of hard-coding the secret values directly in the task definition, you use placeholders or environment variables to reference the secrets' ARNs or names.
4. Configure Task Execution Role: Ensure that your ECS task execution role (the role assumed by the ECS agent on the EC2 instances) has the necessary permissions to retrieve the secret values from Secrets Manager or Parameter Store.
5. Deploy and Run Tasks: Launch your tasks or services using the updated task definition. During runtime, the ECS agent will automatically retrieve the secret values from Secrets Manager or Parameter Store and inject them as environment variables or files into the running container.

The following is a snippet of a task definition showing the format when referencing the full text of a Secrets Manager secret.

{
  "containerDefinitions": [{
    "secrets": [{
      "name": "environment_variable_name",
      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"
    }]
  }]
}

For more details refer to AWS documentation

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

References for Service-Wide Patterns

• AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.