Secrets in Container Environment Variables
More Info:
Ensure ECS task definition log configuration is enabledThis rule checks if secrets are passed as container environment variables in Amazon ECS task definitions. It marks the rule as non-compliant if one or more environment variable keys match a key listed in the ‘secretKeys’ parameter .Risk Level
LowAddress
Security, ReliabilityCompliance Standards
CBP,SEBITriage and Remediation
Remediation
Using Console
Using Console
To remediate secrets being exposed in container environment variables in AWS Kubernetes using the AWS console, follow these steps:
- Identify the exposed secrets: First, identify which secrets are being exposed in the container environment variables. You can do this by examining the Kubernetes deployment configuration or inspecting the running pods.
- Store secrets securely: AWS provides a service called AWS Secrets Manager that allows you to store, retrieve, and manage sensitive data such as passwords, API keys, and other secrets. Store the secrets in AWS Secrets Manager instead of hardcoding them in the container environment variables.
-
Update Kubernetes deployment configuration:
- Open the AWS Management Console and navigate to the Amazon EKS console.
- Select your EKS cluster and navigate to the “Workloads” section.
- Find the deployment that contains the exposed secrets and click on it to view the details.
- Update the deployment configuration to fetch the secrets from AWS Secrets Manager instead of using them directly as environment variables.
- Use AWS IAM roles for service accounts: Instead of directly accessing AWS Secrets Manager from your application code, you can use IAM roles for service accounts (IRSA) to securely provide AWS permissions to your Kubernetes pods. This way, your pods can access AWS services securely without needing to store AWS credentials or secrets in the container environment variables.
- Monitor and audit: Regularly monitor and audit your Kubernetes clusters for any exposed secrets or misconfigurations. Set up alerts and notifications to detect any unauthorized access or changes to your secrets.
Using CLI
Using CLI
To remediate the issue of storing secrets in container environment variables in AWS Kubernetes using AWS CLI, follow these steps:
-
Create a Secret in AWS Secrets Manager:
- Use the AWS CLI to create a secret in AWS Secrets Manager that will store the sensitive information securely. For example, you can create a secret named
my-secretwith key-value pairs for your sensitive data.
- Use the AWS CLI to create a secret in AWS Secrets Manager that will store the sensitive information securely. For example, you can create a secret named
-
Update Kubernetes Deployment YAML:
- Modify your Kubernetes deployment YAML file to reference the secret stored in AWS Secrets Manager. Replace the environment variables containing sensitive data with references to the secret.
-
Apply the Changes:
- Apply the updated deployment YAML file to your Kubernetes cluster using kubectl.
-
Verify the Deployment:
- Verify that the deployment has been updated successfully and the sensitive data is now being sourced from the AWS Secrets Manager secret.
Using Python
Using Python
To remediate the issue of storing secrets in container environment variables in AWS Kubernetes using Python, you can follow these steps:
-
Store Secrets in AWS Secrets Manager:
- Store your sensitive information such as API keys, passwords, etc., securely in AWS Secrets Manager.
-
Grant Access to Secrets:
- Ensure that the Kubernetes service account has the necessary permissions to access the secrets stored in AWS Secrets Manager.
-
Install AWS SDK for Python (Boto3):
- Install the Boto3 library in your Python environment by running the following command:
- Install the Boto3 library in your Python environment by running the following command:
-
Retrieve Secrets in Python:
- Write a Python script to retrieve the secrets from AWS Secrets Manager. Here is an example script:
- Write a Python script to retrieve the secrets from AWS Secrets Manager. Here is an example script:
-
Inject Secrets into Kubernetes Pods:
- Use Kubernetes Secrets to inject the retrieved secrets into your application pods. You can create a Kubernetes Secret object using the retrieved secret value in your Python script.
-
Update Kubernetes Deployment:
- Update your Kubernetes Deployment manifest to mount the secret as a volume or set it as an environment variable in your application container.
-
Deploy the Updated Application:
- Deploy the updated application to your AWS EKS cluster using kubectl or any other deployment tool.