Skip to content

ECS task definition variables expose secrets

Description

ECS task definition variables are metadata definitions, which usually contain small configurations that define the ECS cluster execution parameters. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and can't be encrypted.

We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.

Fix - Runtime

Guidance

ECS enables storing sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters. For additional guidance, see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html.

CLI Command

To see the secret, run the following CLI command:

aws ecs describe-task-definition 
--region <REGION> 
--task-definition <TASK_DEFINITION_NAME> 
--query taskDefinition.containerDefinitions[*].environment