Task definition defines sensitive environment variable(s).
Default Severity: critical
Explanation
You should not make secrets available to a user in plaintext in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.
Possible Impact
Sensitive data could be exposed in the AWS Management Console
Suggested Resolution
Use secrets for the task definition
Insecure Example
The following example will fail the aws-ecs-no-plaintext-secrets check.
resource "aws_ecs_task_definition" "bad_example" {
container_definitions = <<EOF
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" },
{ "name": "DATABASE_PASSWORD", "value": "oh no D:"}
]
}
]
EOF
}
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" },
{ "name": "DATABASE_PASSWORD", "value": "oh no D:"}
]
}
]
EOF
}
Secure Example
The following example will pass the aws-ecs-no-plaintext-secrets check.
resource "aws_ecs_task_definition" "good_example" {
container_definitions = <<EOF
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" }
]
}
]
EOF
}
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" }
]
}
]
EOF
}