Profile Applicability:

  • Level 1

Description:
Ensure that sensitive secrets, such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and ECS_ENGINE_AUTH_DATA, are not passed as environment variables in Amazon ECS task definitions. Instead, use secure methods such as AWS Secrets Manager or AWS Systems Manager Parameter Store to inject these credentials into containers.

Rationale:
 Passing secrets directly as environment variables can expose sensitive data to potential compromise, as it can be accessed by any process within the container or unauthorized users. Storing secrets using managed services like AWS Secrets Manager or AWS Systems Manager Parameter Store provides better security and control over sensitive information.

Impact:
 Pros:

  • Enhanced security by using managed services to handle sensitive data.

  • Reduced risk of data leakage from containers or unauthorized processes.

  • Compliance with best practices for secrets management.

Cons:

  • Administrative effort is required to configure and integrate secrets management services.

  • Operational overhead for managing and rotating secrets.

Default Value:
 By default, secrets should not be stored as container environment variables in ECS task definitions. This is a best practice, and AWS recommends using AWS Secrets Manager or AWS Systems Manager Parameter Store for sensitive data management.

Pre-requisites:

  • AWS IAM permissions to manage ECS task definitions and Secrets Manager/Systems Manager:
     ecs:DescribeTaskDefinition, ecs:UpdateTaskDefinition, secretsmanager:GetSecretValue, ssm:GetParameter

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Task Definitions.

  3. Click the name of the task definition to review.

  4. Click on the latest active revision of the task definition.

  5. Click JSON to view the raw configuration.

  6. For each element under containerDefinitions, ensure that no environment variables contain sensitive information, such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA.

  7. If any secrets are found, refer to the remediation below.

  8. Repeat steps 1–7 for all task definitions across all AWS regions.

Using AWS CLI:

  1. Run the following command to list all task definitions:

    aws ecs list-task-definitions

  2. For each task definition, run the following command to describe it:

    aws ecs describe-task-definition --task-definition <task-definition-arn> --query 'taskDefinition.containerDefinitions[*].environment[*].name'

  3. Ensure that no environment variables contain AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. If found, refer to the remediation below.

  4. Repeat steps 1–3 for all task definitions and AWS regions.

Implementation Plan:

Using AWS Console:

  1. Log in to the ECS Console at AWS ECS Console.

  2. In the left panel, click Task Definitions.

  3. Click the name of the task definition that needs modification.

  4. Click on the latest active revision of the task definition.

  5. Click Create new revision.

  6. In the JSON editor, remove any environment variables that contain secrets (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA):

    "environment": [
  {
    "name": "AWS_ACCESS_KEY_ID",
    "value": "your-secret-key"
  },
  {
    "name": "AWS_SECRET_ACCESS_KEY",
    "value": "your-secret-access-key"
  }
]

  1. Instead, replace those environment variables with a reference to Secrets Manager or Systems Manager Parameter Store to securely inject the secrets.

  2. Click Create to save the new task definition.

  3. Repeat steps 1–8 for any other task definitions requiring remediation.

Using AWS CLI:

  1. For each task definition that needs to be updated, run the following command to register a new task definition without the sensitive environment variables:

    aws ecs register-task-definition \
  --family <task-family-name> \
  --container-definitions '[{"name": "container-name", "image": "image-name", "environment": [{"name": "AWS_SECRET", "valueFrom": "arn:aws:ssm:region:account-id:parameter/secret-name"}]}]'

  1. This will ensure that sensitive data like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY is managed securely.

  2. After updating the task definitions, redeploy the ECS tasks using the new task definition.

Backout Plan:

Using AWS Console:

  1. If issues arise after updating the task definitions, revert to the previous revision of the task definition that contained the environment variables.

  2. Redeploy ECS tasks using the previous task definition.

Using AWS CLI:

  1. To restore the original configuration, run the following command to register a new task definition and reintroduce the environment variables:

    aws ecs register-task-definition \
  --family <task-family-name> \
  --container-definitions '[{"name": "container-name", "image": "image-name", "environment": [{"name": "AWS_ACCESS_KEY_ID", "value": "secret-key"}]}]'

  1. Redeploy ECS tasks using the older task definition if necessary.

References:

  1. AWS ECS: Specifying Sensitive Data

  2. AWS CLI: describe-task-definition

  3. AWS CLI: register-task-definition

  4. AWS Secrets Manager: Storing and Retrieving Secrets

  5. AWS Systems Manager Parameter Store

CIS Controls:

Version

Control ID

Control Description

v8

3.1

Establish and maintain a data management process that ensures sensitive data, such as secrets, is stored securely, using services like AWS Secrets Manager or Systems Manager Parameter Store rather than as environment variables.

v8

3.2

Establish and maintain a data inventory of sensitive information and ensure that it is securely handled, ensuring compliance with best practices for secrets management.

v7

16.4

Encrypt or hash all authentication credentials to prevent leakage or compromise, ensuring secrets are not stored in plaintext in ECS task definitions.