🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 8 Secrets should not be passed as container environment variables

Description

This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as Amazon S3.

AWS Systems Manager Parameter Store can help you improve the security posture of your organization. We recommend using the Parameter Store to store secrets and credentials instead of directing passing them into your container instances or hard coding them into your code.

Remediation

To create parameters using SSM, see Creating Systems Manager parametersin the AWS Systems Manager User Guide. For more information about creating a task definition that specifies a secret, see Specifying sensitive data using Secrets Manager in the Amazon Elastic Container Service Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ecs_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ecs_8 --share

SQL

This control uses a named query:

with definitions_with_secret_environment_variable as (
  select
    distinct task_definition_arn as arn
  from
    aws_ecs_task_definition,
    jsonb_array_elements(container_definitions) as c,
    jsonb_array_elements( c -> 'Environment') as e,
        jsonb_array_elements(
    case jsonb_typeof(c -> 'Secrets')
        when 'array' then (c -> 'Secrets')
        else null end
    ) as s
  where
    e ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA'])
    or s ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA'])
)
select
  d.task_definition_arn as resource,
  case
    when e.arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when e.arn is null then d.title || ' container environment variables does not have secrets.'
    else d.title || ' container environment variables have secrets.'
  end as reason
  
  , region, account_id
from
  aws_ecs_task_definition as d
  left join definitions_with_secret_environment_variable as e on d.task_definition_arn = e.arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = credentials_not_hard_coded
foundational_security_item_id = ecs_8
plugin = aws
service = AWS/ECS