lacework-global-377

Do not pass secrets as container environment variables (Manual)

Description

AWS Systems Manager Parameter Store can help improve the security posture of an organization. Best practices recommend using the Parameter Store to store secrets and credentials instead of directly passing them into container instances or hard coding them in code.

Remediation

From the AWS console:

1. Log in to the AWS Management Console.
2. Click Services.
3. Select Containers > Elastic Container Service (ECS).
4. In the left hand pane, click Task definitions.
5. Select the task definition with secrets in the container environment variables.
6. Select the task definition revision and click Create new revision.
7. Under Container, within the Environment variable section, unset any variable with the name AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY or ECS_ENGINE_AUTH_DATA.
8. Click Create.

From CLI:

Create a JSON file containing the container definition for use in the task definition, without environment variable called AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY or ECS_ENGINE_AUTH_DATA set, then run the following command:

aws ecs register-task-definition --family <task_definition_name> --container-definitions <container_definition_json>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-8