Profile Applicability:
Level 1
Description:
This control ensures that Amazon Elastic Container Service (ECS) task definitions use AWS Secrets Manager or AWS Systems Manager Parameter Store to store and reference sensitive environment variables, such as API keys, passwords, tokens, or database credentials. Embedding secrets directly in plaintext environment variables within task definitions poses a significant security risk. Using managed secret services ensures encryption at rest, controlled access, and secure retrieval at runtime.
Rationale:
Sensitive data such as credentials and access keys should never be hardcoded or stored in plaintext in task definitions. Storing secrets in dedicated, encrypted services like AWS Secrets Manager or SSM Parameter Store provides the following benefits:
Secrets are encrypted at rest using AWS Key Management Service (KMS).
Access is controlled via IAM policies.
Secrets can be automatically rotated and managed.
Security teams can audit and monitor access through CloudTrail logs.
Failing to use managed secret references increases the risk of credential exposure, data breaches, and non-compliance with security frameworks.
Impact:
Positive Impact:
Protects credentials and sensitive configuration data from exposure.
Enables fine-grained IAM access control and auditing for secret retrieval.
Supports compliance with security standards such as CIS, SOC 2, ISO 27001, and HIPAA.
Negative Impact:Requires secret management setup and IAM configuration before migration.
Default Value:
By default, ECS task definitions allow environment variables to be stored in plaintext. Secret references using Secrets Manager or Parameter Store must be explicitly defined.
Pre-Requisite:
IAM permissions required:
ecs:DescribeTaskDefinition,ecs:RegisterTaskDefinition,secretsmanager:GetSecretValue, andssm:GetParameters.Secrets should already exist in AWS Secrets Manager or SSM Parameter Store.
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon ECS → Task Definitions.
Select a task definition family and revision to review.
Under the Container definitions section, review the Environment variables tab.
Verify that sensitive data (passwords, tokens, etc.) are not stored as plaintext in the “Environment variables” list.
Under the Secrets section, confirm that variables referencing secrets exist. For example:
ValueFromfield should reference a secret ARN from Secrets Manager or Parameter Store (e.g.,arn:aws:secretsmanager:us-east-1:123456789012:secret:MyDBPassword).
If secrets are missing or plaintext values are found, proceed with the implementation plan.
Implementation Plan
Using AWS Console:
Navigate to AWS Secrets Manager or AWS Systems Manager Parameter Store.
Create a new secret if it does not exist:
Go to Secrets Manager → Store a new secret.
Select Other type of secret and add your key-value pair (e.g.,
DB_PASSWORD=mysecurepassword).Choose an appropriate KMS key and click Next to complete the process.
Navigate to Amazon ECS → Task Definitions.
Choose the task definition you want to update and select Create new revision.
In the Container definitions section, scroll to Environment variables → Add environment variable.
Click Add secret and specify:
Name: The environment variable key (e.g.,
DB_PASSWORD).Value from: Select your AWS Secrets Manager or Parameter Store ARN.
Remove any existing plaintext variables containing sensitive data.
Save the updated task definition revision and redeploy ECS services using the new definition.
Back0ut Plan:
If the application fails after migration due to secret retrieval issues, revert to the previous ECS task definition revision that contains the original configuration.
Review IAM permissions to ensure ECS task execution roles have the correct access to retrieve secrets from Secrets Manager or Parameter Store (
secretsmanager:GetSecretValueorssm:GetParameters).Once verified, reapply the updated secret-based task definition.
References: