CRITICAL
Source
Trivy
ID
AVD-AWS-0036

Task definition defines sensitive environment variable(s).

You should not make secrets available to a user in plaintext in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Use secrets for the task definition

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Resources:
  GoodExample:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: MyCluster
      ClusterSettings:
        - Name: containerInsights
          Value: enabled

  GoodTask:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - Image: cfsec/cfsec:latest
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: cfsec-logs
              awslogs-region: !Ref AWS::Region
              awslogs-stream-prefix: cfsec
          MountPoints:
            - ContainerPath: /src
              SourceVolume: src
          Name: cfsec
      Cpu: 512
      Family: CFSec scan
      Memory: 1024
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
        - EC2
      Volumes:
        - EFSVolumeConfiguration:
            FilesystemId: fs1
            TransitEncryption: ENABLED
          Name: jenkins-home

Use secrets for the task definition

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
resource "aws_ecs_task_definition" "good_example" {
  container_definitions = <<EOF
 [
   {
     "name": "my_service",
     "essential": true,
     "memory": "256",
     "environment": [
       { "name": "ENVIRONMENT", "value": "development" }
     ]
   }
 ]
 EOF

}