AWS Config Rule: ECS No Environment Secrets
ECS_NO_ENVIRONMENT_SECRETS
Eduardo Van Cauteren
Last Update hace 6 meses
Description: Checks if secrets are passed as container environment variables. The rule is NON_COMPLIANT if 1 or more environment variable key matches a key listed in the 'secretKeys' parameter (excluding environmental variables from other locations such as Amazon S3). Note: This rule only evaluates the latest active revision of an Amazon ECS task definition.
Trigger type: Configuration changes
AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Asia Pacific (Osaka), AWS GovCloud (US-East), AWS GovCloud (US-West) Region
How to Resolve Manually
A task definition is a blueprint for your application. It is a text file in JSON format that describes the parameters and one or more containers that form your application.
This config rules checks if the latest active version of a Task Definition does not contain any environment variable key that matches a key listed in the 'secretKeys' parameter. If one of the keys are found, the rule will be marked non-compliant.
In order to resolve this, you will need to create a new revision with the required changes for your particular task definition. To do so head on over to the Elastic Container Service (ECS) and click on Task definitions from the left menu. From the list, click on the definition that is not compliant and then choose the latest revision.
At the properties screen, if you click on the JSON tab, you can look within the "environment" property which of the secretKeys is the one making the rule to not comply. To resolve the issue, click on Create New Revision button at the top right, then you can select Create new revision with JSON to use the current JSON definition as a baseline.
Change the key to a value that fits your organization's needs and save the changes. You can check the following screenshot as a general reference:
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here