Task definition defines sensitive environment variable(s). You should not make secrets available to a user in plaintext in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.
Impact Sensitive data could be exposed in the AWS Management Console
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Use secrets for the task definition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Resources:
GoodExample:
Type: 'AWS::ECS::Cluster'
Properties:
ClusterName: MyCluster
ClusterSettings:
- Name: containerInsights
Value: enabled
GoodTask:
Type: AWS::ECS::TaskDefinition
Properties:
Family: "CFSec scan"
Cpu: 512
Memory: 1024
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
- EC2
ContainerDefinitions:
- Name: cfsec
Image: cfsec/cfsec:latest
MountPoints:
- SourceVolume: src
ContainerPath: /src
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: "cfsec-logs"
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: "cfsec"
Volumes:
- Name: jenkins-home
EFSVolumeConfiguration:
FilesystemId: "fs1"
TransitEncryption: ENABLED
Use secrets for the task definition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
resource "aws_ecs_task_definition" "good_example" {
container_definitions = << EOF
[
{
"name": "my_service" ,
"essential" : true ,
"memory" : 256 ,
"environment" : [
{ "name": "ENVIRONMENT", "value": "development" }
]
}
]
EOF
}
Links