Secrets, like API keys, security credentials, and encryption keys, are often injected into AWS ECS containers using just environment variables. I’ve also seen solutions using dedicated tools like AWS SecretsManager incorrectly. As a result, secrets were passed as environment variables again, which means they were hardcoded in the ECS task/container definition, breaking the least privilege principle and violating security benchmark recommendations.
To resolve this issue I’ve created an ecs-secrets-manager Terraform module.
- It uses the AWS Secrets Manager service to store, retrieve and rotate secrets.
- No secret is hardcoded in the container definition. AWS injects them on the container startup.
- You can restrict and audit access to the Secrets Manager, no secret will be accessed without your permission and knowledge.
Feel free to use the module. Any feedback is welcomed!