AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-03-10 · Documentation low

File: AmazonECS/latest/developerguide/specifying-sensitive-data.md

Summary

Updated example project reference for secrets handling from 'secrets-store-csi-driver-provider-aws' to 'task-def.json' sample

Security assessment

Change improves documentation about secure secret handling patterns using sidecar containers and Secrets Manager, but doesn't address a specific security vulnerability

Diff

diff --git a/AmazonECS/latest/developerguide/specifying-sensitive-data.md
index 6569e3c66..a1a8812f9 100644
--- a/AmazonECS/latest/developerguide/specifying-sensitive-data.md
+++ b/AmazonECS/latest/developerguide/specifying-sensitive-data.md
@@ -47 +47 @@ You should store secrets in an encrypted Amazon S3 bucket and use task roles to
-Because there's an elevated risk of data leakage with environment variables, you should run a sidecar container that reads your secrets from AWS Secrets Manager and write them to a shared volume. This container can run and exit before the application container by using [Amazon ECS container ordering](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDependency.html). When you do this, the application container subsequently mounts the volume where the secret was written. Like the Amazon S3 bucket method, your application must be written to read the secret from the shared volume. Because the volume is scoped to the task, the volume is automatically deleted after the task stops. For an example, see the [secrets-store-csi-driver-provider-aws](https://github.com/aws/secrets-store-csi-driver-provider-aws) project.
+Because there's an elevated risk of data leakage with environment variables, you should run a sidecar container that reads your secrets from AWS Secrets Manager and write them to a shared volume. This container can run and exit before the application container by using [Amazon ECS container ordering](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDependency.html). When you do this, the application container subsequently mounts the volume where the secret was written. Like the Amazon S3 bucket method, your application must be written to read the secret from the shared volume. Because the volume is scoped to the task, the volume is automatically deleted after the task stops. For an example, see the [task-def.json](https://github.com/aws-samples/aws-secret-sidecar-injector/blob/master/ecs-task-def/task-def.json) project.