Secrets in Container Environment Variables
More Info:
Ensure ECS task definition log configuration is enabledThis rule checks if secrets are passed as container environment variables in Amazon ECS task definitions. It marks the rule as non-compliant if one or more environment variable keys match a key listed in the ‘secretKeys’ parameter .
Risk Level
Low
Address
Security, Reliability
Compliance Standards
CBP,SEBI
Remediation
Using Console
To remediate secrets being exposed in container environment variables in AWS Kubernetes using the AWS console, follow these steps:
-
Identify the exposed secrets: First, identify which secrets are being exposed in the container environment variables. You can do this by examining the Kubernetes deployment configuration or inspecting the running pods.
-
Store secrets securely: AWS provides a service called AWS Secrets Manager that allows you to store, retrieve, and manage sensitive data such as passwords, API keys, and other secrets. Store the secrets in AWS Secrets Manager instead of hardcoding them in the container environment variables.
-
Update Kubernetes deployment configuration:
- Open the AWS Management Console and navigate to the Amazon EKS console.
- Select your EKS cluster and navigate to the “Workloads” section.
- Find the deployment that contains the exposed secrets and click on it to view the details.
- Update the deployment configuration to fetch the secrets from AWS Secrets Manager instead of using them directly as environment variables.
-
Use AWS IAM roles for service accounts: Instead of directly accessing AWS Secrets Manager from your application code, you can use IAM roles for service accounts (IRSA) to securely provide AWS permissions to your Kubernetes pods. This way, your pods can access AWS services securely without needing to store AWS credentials or secrets in the container environment variables.
-
Monitor and audit: Regularly monitor and audit your Kubernetes clusters for any exposed secrets or misconfigurations. Set up alerts and notifications to detect any unauthorized access or changes to your secrets.
By following these steps, you can remediate secrets being exposed in container environment variables in AWS Kubernetes and ensure that your sensitive data is stored and accessed securely.
Using CLI
To remediate the issue of storing secrets in container environment variables in AWS Kubernetes using AWS CLI, follow these steps:
-
Create a Secret in AWS Secrets Manager:
- Use the AWS CLI to create a secret in AWS Secrets Manager that will store the sensitive information securely. For example, you can create a secret named
my-secretwith key-value pairs for your sensitive data.
aws secretsmanager create-secret --name my-secret --secret-string '{"username":"my_username", "password":"my_password"}' - Use the AWS CLI to create a secret in AWS Secrets Manager that will store the sensitive information securely. For example, you can create a secret named
-
Update Kubernetes Deployment YAML:
- Modify your Kubernetes deployment YAML file to reference the secret stored in AWS Secrets Manager. Replace the environment variables containing sensitive data with references to the secret.
apiVersion: apps/v1 kind: Deployment metadata: name: my-deployment spec: template: spec: containers: - name: my-container image: my-image env: - name: USERNAME valueFrom: secretKeyRef: name: my-secret key: username - name: PASSWORD valueFrom: secretKeyRef: name: my-secret key: password -
Apply the Changes:
- Apply the updated deployment YAML file to your Kubernetes cluster using kubectl.
kubectl apply -f deployment.yaml -
Verify the Deployment:
- Verify that the deployment has been updated successfully and the sensitive data is now being sourced from the AWS Secrets Manager secret.
kubectl get pods kubectl describe pod <pod_name>
By following these steps, you can remediate the issue of storing secrets in container environment variables in AWS Kubernetes by securely storing sensitive information in AWS Secrets Manager and referencing them in your Kubernetes deployment configuration.
Using Python
To remediate the issue of storing secrets in container environment variables in AWS Kubernetes using Python, you can follow these steps:
-
Store Secrets in AWS Secrets Manager:
- Store your sensitive information such as API keys, passwords, etc., securely in AWS Secrets Manager.
-
Grant Access to Secrets:
- Ensure that the Kubernetes service account has the necessary permissions to access the secrets stored in AWS Secrets Manager.
-
Install AWS SDK for Python (Boto3):
- Install the Boto3 library in your Python environment by running the following command:
pip install boto3
- Install the Boto3 library in your Python environment by running the following command:
-
Retrieve Secrets in Python:
- Write a Python script to retrieve the secrets from AWS Secrets Manager. Here is an example script:
import boto3 def get_secret(secret_name): client = boto3.client('secretsmanager') response = client.get_secret_value(SecretId=secret_name) secret = response['SecretString'] return secret # Example usage secret_value = get_secret('your_secret_name')
- Write a Python script to retrieve the secrets from AWS Secrets Manager. Here is an example script:
-
Inject Secrets into Kubernetes Pods:
- Use Kubernetes Secrets to inject the retrieved secrets into your application pods. You can create a Kubernetes Secret object using the retrieved secret value in your Python script.
-
Update Kubernetes Deployment:
- Update your Kubernetes Deployment manifest to mount the secret as a volume or set it as an environment variable in your application container.
-
Deploy the Updated Application:
- Deploy the updated application to your AWS EKS cluster using kubectl or any other deployment tool.
By following these steps, you can remediate the issue of storing secrets in container environment variables in AWS Kubernetes using Python and securely manage your application’s sensitive information.