ECS Task Definition Container With Plaintext Password

• Query id: 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892
• Query name: ECS Task Definition Container With Plaintext Password
• Platform: Ansible
• Severity: High
• Category: Encryption
• URL: Github

Description

It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: Create task definition
  community.aws.ecs_taskdefinition:
    family: nginx
    containers:
    - name: nginx
      essential: true
      image: "nginx"
      portMappings:
      - containerPort: 8080
        hostPort: 8080
      env:
      - password: shhh
    launch_type: FARGATE
    cpu: 512
    memory: 1024
    state: present
    network_mode: awsvpc

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: Create task definition
  community.aws.ecs_taskdefinition:
    family: nginx
    containers:
    - name: nginx
      essential: true
      image: nginx
      portMappings:
      - containerPort: 8080
        hostPort: 8080
    launch_type: FARGATE
    cpu: 512
    memory: 1024
    state: present
    network_mode: awsvpc