Control: ECS task definition containers should not have secrets passed as environment variables
Description
This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as AWS S3.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ecs_task_definition_container_environment_no_secretSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ecs_task_definition_container_environment_no_secret --shareSQL
This control uses a named query:
with definitions_with_secret_environment_variable as ( select distinct task_definition_arn as arn from aws_ecs_task_definition, jsonb_array_elements(container_definitions) as c, jsonb_array_elements( c -> 'Environment') as e, jsonb_array_elements( case jsonb_typeof(c -> 'Secrets') when 'array' then (c -> 'Secrets') else null end ) as s where e ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA']) or s ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA']))select d.task_definition_arn as resource, case when e.arn is null then 'ok' else 'alarm' end as status, case when e.arn is null then d.title || ' container environment variables does not have secrets.' else d.title || ' container environment variables have secrets.' end as reason , region, account_idfrom aws_ecs_task_definition as d left join definitions_with_secret_environment_variable as e on d.task_definition_arn = e.arn;