Description:
Elastic Container Service (ECS) is a fully managed container orchestration service. It makes it easy to run and stop managing containers in a cluster. It enables you to inject sensitive data into your containers by storing your sensitive data in AWS Secrets Manager secrets and then referencing them in your container definition.
As a security best practice, pass sensitive information to containers as environment variables. You can securely inject data into containers by referencing values stored in the AWS Systems Manager Parameter Store or AWS Secrets Manager in the container definition of an Amazon ECS task definition. Then, you can expose your sensitive information as environment variables or in the log configuration of a container.
Rationale:
ECS task definition variables are metadata definitions, which usually contain small configurations that define the ECS cluster execution parameters. These variables can be accessed by any entity with the most basic read-metadata-only permissions and can't be encrypted.
Impact:
It is recommended you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.
Default Value:
Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in AWS Secrets Manager secrets and then referencing them in your container definition.
Pre-Requisite:
- Have a secret stored in Secret Manager.
- You attach the required policy to the IAM Role - ecsTaskExecutionRole.
- ECR cluster and the Task should be running.
Remediation:
Test Plan:
Find the public IP or DNS address for your container instance.
Open the Amazon ECS console at https://console.aws.amazon.com/ecs/.
Select the cluster or other clusters that hosts your container instance.
On the Cluster page, choose ECS Instances.
On the Container Instance column, select the container instance to connect to.
On the Container Instance page, record the Public IP or Public DNS for your instance.
If you are using a macOS or Linux computer, connect to your instance with the following command, substituting the path to your private key and the public address for your instance:
$ ssh -i /path/to/my-key-pair.pem [email protected]
For more information about using a Windows computer, see Connecting to Your Linux Instance from Windows Using PuTTY in the Amazon EC2 User Guide for Linux Instances.
3. List the containers running on the instance. Note the container ID for container.
docker ps
4. Connect to the container using the container ID from the output of the previous step.
docker exec -it container_ID /bin/bash
5. Use the echo
command to print the value of the environment variable.
echo $username_value
If the tutorial was successful, you should see the following output:
Implementation Plan:
Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Roles.
Search the list of roles for ecsTaskExecutionRole and select it.
Choose Permissions, then choose the X next to the container. Choose to Remove to confirm the removal of the inline policy.
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
Select the secret you created and choose Actions, Delete secret.
The following command removes the policy from the role.
aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>
The following example deletes a secret immediately without a recovery window. You can't recover this secret.
aws secretsmanager delete-secret \
--secret-id <secret-id> \
--force-delete-without-recovery
Back out Plan:
To create a basic secret
Use Secrets Manager to create a secret for your sensitive data.
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
Choose Store a new secret.
At the Secret type, choose “Other type of secrets”.
4. At the Key/Value pairs, choose the Plaintext tab and replace the existing text with the following text. The text value you specify here will be the environment variable value in your container at the end of the tutorial.
password_value
Choose Next.
For the Secret name, type
username_value
and choose Next. The secret name value you specify here will be the environment variable name in your container at the end of the tutorial.For Configure automatic rotation, leave Disable automatic rotation selected and choose Next.
Review these settings, and then choose Store to save everything you entered as a new secret in Secrets Manager.
Select the secret you just created and save the Secret ARN to reference in your task execution IAM policy and task definition in later steps.
To update your task execution IAM role
Use the IAM console to update your task execution role with the required permissions.
Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Roles.
Search the list of roles for
ecsTaskExecutionRole
and select it.Choose Review policy. For Name specify
ECSSecretsTutorial
, then choose Create policy
To create a task definition that specifies a secret
Use the IAM console to update your task execution role with the required permissions.
Open the Amazon ECS console at https://console.aws.amazon.com/ecs/.
In the navigation pane, choose Task Definitions, Create new Task Definition.
3. On the Select launch type compatibility page, choose EC2 and choose Next step
4. Choose Configure via JSON and enter the following task definition JSON text, ensuring that you specify the full ARN of the Secrets Manager secret you created in step 1 and the task execution IAM role you updated in step 2. Choose Save.
{
"executionRoleArn": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"entryPoint": [
"sh",
"-c"
],
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"command": [
"/bin/sh -c \"echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' > /usr/local/apache2/htdocs/index.html && httpd-foreground\""
],
"cpu": 10,
"secrets": [
{
"valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:username_value-u9bH6K",
"name": "username_value"
}
],
"memory": 300,
"image": "httpd:2.4",
"essential": true,
"name": "ecs-secrets-container"
}
],
"family": "ecs-secrets-tutorial"
}
5. Review the settings and then choose to Create.
To create a cluster
Use the Amazon ECS console to create a cluster and register one container instance to it.
Open the Amazon ECS console at https://console.aws.amazon.com/ecs/.
From the navigation bar, select the Region that contains both the Secrets Manager secret and the Amazon ECS task definition you created.
In the navigation pane, choose Clusters.
On the Clusters page, choose Create Cluster.
For the EC2 instance type, choose t2.micro.
For the Key pair, choose a key pair to add to the container instance.
Leave all other fields at their default values and choose to Create.
References:
What is Amazon Elastic Container Service? - Amazon Elastic Container Service
Passing sensitive data to a container - Amazon Elastic Container Service
Tutorial: Specifying Sensitive Data Using Secrets Manager Secrets - Amazon Elastic Container Service