Task definition defines sensitive environment variable(s). You should not make secrets available to a user in plaintext in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.
Impact
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Use secrets for the task definition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Resources :
GoodExample :
Type : AWS::ECS::Cluster
Properties :
ClusterName : MyCluster
ClusterSettings :
- Name : containerInsights
Value : enabled
GoodTask :
Type : AWS::ECS::TaskDefinition
Properties :
ContainerDefinitions :
- Image : cfsec/cfsec:latest
LogConfiguration :
LogDriver : awslogs
Options :
awslogs-group : cfsec-logs
awslogs-region : !Ref AWS::Region
awslogs-stream-prefix : cfsec
MountPoints :
- ContainerPath : /src
SourceVolume : src
Name : cfsec
Cpu : 512
Family : CFSec scan
Memory : 1024
NetworkMode : awsvpc
RequiresCompatibilities :
- FARGATE
- EC2
Volumes :
- EFSVolumeConfiguration :
FilesystemId : fs1
TransitEncryption : ENABLED
Name : jenkins-home
Use secrets for the task definition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
resource "aws_ecs_task_definition" "good_example" {
container_definitions = << EOF
[
{
"name": "my_service" ,
"essential" : true ,
"memory": "256" ,
"environment" : [
{ "name": "ENVIRONMENT", "value": "development" }
]
}
]
EOF
}
Links