10

ECS Config Rules

Last Update 4 bulan yang lalu

AWS Config Rule: ECS Containers Non Privileged AWS Config Rule: ECS Container Insights Enabled AWS Config Rule: ECS No Environment Secrets AWS Config Rule: ECS Fargate Latest Platform Version AWS Config Rule: ECS Containers ReadOnly Access

AWS Config Rule: ECS No Environment Secrets

ECS_NO_ENVIRONMENT_SECRETS

Eduardo Van Cauteren

Last Update 9 bulan yang lalu

Description: Checks if secrets are passed as container environment variables. The rule is NON_COMPLIANT if 1 or more environment variable key matches a key listed in the 'secretKeys' parameter (excluding environmental variables from other locations such as Amazon S3). Note: This rule only evaluates the latest active revision of an Amazon ECS task definition.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Jakarta), Asia Pacific (Osaka), AWS GovCloud (US-East), AWS GovCloud (US-West), Israel (Tel Aviv), China (Ningxia) Region

How to Resolve Manually

A task definition is a blueprint for your application. It is a text file in JSON format that describes the parameters and one or more containers that form your application.

This config rules checks if the latest active version of a Task Definition does not contain any environment variable key that matches a key listed in the 'secretKeys' parameter. If one of the keys are found, the rule will be marked non-compliant.


In order to resolve this, you will need to create a new revision with the required changes for your particular task definition. To do so head on over to the Elastic Container Service (ECS) and click on Task definitions from the left menu. From the list, click on the definition that is not compliant and then choose the latest revision.

At the properties screen, if you click on the JSON tab, you can look within the "environment" property which of the secretKeys is the one making the rule to not comply. To resolve the issue, click on Create New Revision button at the top right, then you can select Create new revision with JSON to use the current JSON definition as a baseline.

Change the key to a value that fits your organization's needs and save the changes. You can check the following screenshot as a general reference:

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us