ECS Task Definition Container With Plaintext Password
- Query id: f9b10cdb-eaab-4e39-9793-e12b94a582ad
- Query name: ECS Task Definition Container With Plaintext Password
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"taskdefinition3": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": 256,
"PortMappings": [
{
"HostPort": {
"Ref": "AppHostPort"
},
"ContainerPort": {
"Ref": "AppContainerPort"
}
}
],
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory": 512,
"Essential": true,
"Name": {
"Ref": "AppName"
},
"Environment": [
{
"Name": "password",
"Value": "123123"
}
]
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
]
}
}
}
}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
taskdefinition4:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name:
Ref: "AppName"
MountPoints:
- SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: 256
PortMappings:
- ContainerPort:
Ref: "AppContainerPort"
HostPort:
Ref: "AppHostPort"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: 512
Essential: true
Environment:
- Name: "password"
Value: 123123123
Volumes:
- Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
],
"ContainerDefinitions": [
{
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory": 512,
"PortMappings": [
{
"ContainerPort": {
"Ref": "AppContainerPort"
},
"HostPort": {
"Ref": "AppHostPort"
}
}
],
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": 256,
"HealthCheck": {
"Command": [
"CMD-SHELL",
"curl -f http://localhost:8080/ || exit 1"
],
"Interval": 30,
"Retries": 3,
"StartPeriod": 1,
"Timeout": 5
},
"Essential": true,
"Name": {
"Ref": "AppName"
}
}
]
}
}
}
}
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
taskdefinition2:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name:
Ref: "AppName"
MountPoints:
- SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: 256
PortMappings:
- ContainerPort:
Ref: "AppContainerPort"
HostPort:
Ref: "AppHostPort"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
HealthCheck:
Command:
- CMD-SHELL
- curl -f http://localhost:8080/ || exit 1
Interval: 30
Retries: 3
StartPeriod: 1
Timeout: 5
Memory: 512
Essential: true
Volumes:
- Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"