Potentially sensitive variable in task definition Affecting ECS service in AWS

Snyk CCSS

Keys and Secrets / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls

Snyk ID SNYK-CC-00224
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Secret value has been declared in variable definition.

How to fix?

Remove the secret value from the environment map.

Example Configuration

resource "aws_ecs_task_definition" "service_2" {
  family                = "service"
  container_definitions = <<EOF
[
  {
    "name": "my_service",
    "essential": true,
    "memory": 256,
    "environment": [
      { "name": "ENVIRONMENT", "value": "development" }
    ]
  }
]
EOF

  volume {
    name      = "service-storage"
    host_path = "/ecs/service-storage"
  }

  placement_constraints {
    type       = "memberOf"
    expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
  }
}

Terraform

Resource: aws_ecs_task_definition

References

Passing sensitive data to a container