ECS Task Definition Container With Plaintext Password
- Query id: d40210ea-64b9-4cce-a4fb-e8604f3c062c
- Query name: ECS Task Definition Container With Plaintext Password
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_ecs_task_definition" "positive1" {
family = "service"
container_definitions = <<EOF
{
"family": "",
"taskRoleArn": "",
"executionRoleArn": "",
"networkMode": "awsvpc",
"containerDefinitions": [
{
"name": "",
"image": "",
"repositoryCredentials": {"credentialsParameter": ""},
"cpu": 0,
"memory": 0,
"memoryReservation": 0,
"links": [""],
"portMappings": [
{
"containerPort": 0,
"hostPort": 0,
"protocol": "tcp"
}
],
"essential": true,
"entryPoint": [""],
"command": [""],
"environment": [
{
"name": "password",
"value": "123231231213"
}
],
"environmentFiles": [
{
"value": "",
"type": "s3"
}
]
}
]
}
EOF
volume {
name = "service-storage"
host_path = "/ecs/service-storage"
}
placement_constraints {
type = "memberOf"
expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_ecs_task_definition" "negative1" {
family = "service"
container_definitions = <<EOF
{
"family": "",
"taskRoleArn": "",
"executionRoleArn": "",
"networkMode": "awsvpc",
"containerDefinitions": [
{
"name": "",
"image": "",
"repositoryCredentials": {"credentialsParameter": ""},
"cpu": 0,
"memory": 0,
"memoryReservation": 0,
"links": [""],
"portMappings": [
{
"containerPort": 0,
"hostPort": 0,
"protocol": "tcp"
}
],
"essential": true,
"entryPoint": [""],
"command": [""],
"environment": [
{
"name": "",
"value": ""
}
],
"environmentFiles": [
{
"value": "",
"type": "s3"
}
]
}
]
}
EOF
volume {
name = "service-storage"
host_path = "/ecs/service-storage"
}
placement_constraints {
type = "memberOf"
expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
}
}