Avoid Passing Secrets in ECS Container Environment Variables

Ensures that secrets such as AWS access keys are not passed as environment variables in ECS containers, advocating for the use of more secure mechanisms like AWS Secrets Manager.

Rule	Secrets should not be passed as container environment variables
Framework	AWS Foundational Security Best Practices
Severity	✔ High

Rule Description

When deploying applications to AWS, it is considered a security best practice to avoid passing sensitive information, such as secrets, as container environment variables. Storing secrets in this manner can expose them to potential unauthorized access and compromise the security of your application and data.

Troubleshooting Steps

If secrets are currently being passed as container environment variables, it is important to update the deployment configuration to follow security best practices. Here are the steps you can take to remediate this issue:

Step 1: Remove Secrets from Environment Variables

Identify the secrets that are currently being passed as container environment variables and remove them from the configuration.

Step 2: Store Secrets Securely

Instead of passing secrets as environment variables, utilize AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve sensitive information.

Step 3: Update Application Code

Modify the application code to retrieve the secrets from the secure storage service during runtime, rather than relying on environment variables.

Remediation Steps

Follow these steps to remediate the issue of passing secrets as container environment variables:

Step 1: Store Secrets in AWS Secrets Manager

1.
Open the AWS Management Console and navigate to AWS Secrets Manager.

2.
Create a new secret or import an existing one with the sensitive information.

3.
Define the key/value pairs for the secret data.

Step 2: Update Container Configuration

1.
Access the container configuration for your application.

2.
Modify the configuration to remove the environment variables containing secrets.

3.
Update the application code to retrieve the secrets from AWS Secrets Manager.

Step 3: Grant Permissions

1.
Ensure that the IAM role assigned to the application has the necessary permissions to access the secrets stored in AWS Secrets Manager.

2.
Configure the permissions using IAM policies for the role.

By following the above steps, you can enhance the security of your applications deployed on AWS by avoiding the exposure of secrets as container environment variables.

Avoid Passing Secrets in ECS Container Environment Variables

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 1: Remove Secrets from Environment Variables

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 2: Store Secrets Securely

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 3: Update Application Code

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 1: Store Secrets in AWS Secrets Manager

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 2: Update Container Configuration

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 3: Grant Permissions

Is your System Free of Underlying Vulnerabilities? Find Out Now