ECS task definition has no secrets in environment variables
ecs_task_definitions_no_environment_secrets
ECS task definitions are analyzed for plaintext secrets placed in container environment variables. It identifies values that resemble credentials (keys, tokens, passwords) within container definitions.
Risk
Exposed secrets in env vars undermine confidentiality via logs, task metadata, and introspection.
With container or read-only API access, attackers can reuse credentials to read databases, modify records (integrity), pivot to other services, and trigger outages or unauthorized costs (availability).
prowler aws --checks ecs_task_definitions_no_environment_secrets
Recommendation
Store secrets in AWS Secrets Manager or SSM Parameter Store and inject them at runtime instead of plaintext env vars.
Apply least privilege via task roles, enable regular rotation, avoid logging secret values, and prefer ephemeral credentials for downstream services.
Remediation
- In the AWS Console, go to ECS > Task Definitions and open your task definition
- Create a new revision
- For each container, remove any sensitive values from Environment variables
- Under Environment variables, add a new entry in the Secrets section with Name (e.g., DB_PASSWORD) and ValueFrom pointing to your Secrets Manager/SSM parameter
- Save to create the new revision
- If using a service, update the service to use the new task definition revision and deploy
Source Code
Resource Type
AwsEcsTaskDefinition