AWS Security ChangesHomeSearch

AWS elasticbeanstalk high security documentation change

Service: elasticbeanstalk · 2025-04-01 · Security-related high

File: elasticbeanstalk/latest/dg/create_deploy_docker_v2config.md

Summary

Added documentation for executionRoleArn configuration, IAM permissions requirements (including iam:PassRole), and secret/parameter store access policies for secure environment variables

Security assessment

The changes explicitly document required IAM permissions for securely accessing secrets/parameters via Secrets Manager/Systems Manager, including role delegation (iam:PassRole) and encryption (kms:Decrypt). This addresses secure handling of sensitive credentials.

Diff

diff --git a/elasticbeanstalk/latest/dg/create_deploy_docker_v2config.md b/elasticbeanstalk/latest/dg/create_deploy_docker_v2config.md
index b2cfbd7a5..fe372c7b1 100644
--- a/elasticbeanstalk/latest/dg/create_deploy_docker_v2config.md
+++ b/elasticbeanstalk/latest/dg/create_deploy_docker_v2config.md
@@ -5 +5 @@
-Dockerrun.aws.json v2Volume formatContainer definition formatAuthentication format – using images from a private repositoryExample Dockerrun.aws.json v2
+Dockerrun.aws.json v2Volume formatExecution Role ARN formatContainer definition formatAuthentication format – using images from a private repositoryExample Dockerrun.aws.json v2
@@ -20,0 +21,2 @@ A `Dockerrun.aws.json` file can be used on its own or zipped up with additional
+  * Execution Role ARN format
+
@@ -38,0 +41,5 @@ Specifies the version number as the value `2` for ECS managed Docker environment
+**executionRoleArn**
+    
+
+Specifies the task execution IAM roles for different purposes and services associated with your account. For your application to use Elastic Beanstalk [environment variables stored as secrets](./AWSHowTo.secrets.env-vars.html), you’ll need to specify the ARN of a task execution role that grants the required permissions. Other common use cases may also require this parameter. For more information, see Execution Role ARN format.
+
@@ -77,0 +85,116 @@ For more details, see the `mountPoints` field in the _Container definition forma
+## Execution Role ARN format
+
+In order for your application to use Elastic Beanstalk [environment variables stored as secrets](./AWSHowTo.secrets.env-vars.html), you'll need to specify a task execution IAM role. The role must grant the Amazon ECS container permission to make AWS API calls on your behalf using AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters to reference sensitive data. For instructions to create a task execution IAM role with the required permissions for your account, see [Amazon ECS task execution IAM role ](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) in the Amazon Elastic Container Service Developer Guide.
+    
+    
+    {
+    "AWSEBDockerrunVersion": 2,
+      "executionRoleArn": "arn:aws:iam::111122223333:role/ecsTaskExecutionRole",
+
+### Additional permissions required for the Amazon ECS managed Docker platform 
+
+###### EC2 instance profile grants `iam:PassRole` to ECS
+
+In order for your EC2 instance profile to be able to grant this role to the ECS container, you must include the `iam:PassRole` permission demonstrated in the following example. The `iam:PassRole` allows the EC2 instances permission _to pass_ the task execution role to the ECS container.
+
+In this example, we limit the EC2 instance to only pass the role to the ECS service. Although this condition is not required, we add it to follow best practices to reduce the scope of the permission shared. We accomplish this with the `Condition` element.
+
+###### Note
+
+Any usage of the ECS IAM task execution role requires the `iam:PassRole` permission. There are other common use cases that require the ECS task execution managed service role. For more information, see [Amazon ECS task execution IAM role ](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) in the Amazon Elastic Container Service Developer Guide.
+
+###### Example policy with `iam:PassRole` permission
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": "iam:PassRole",
+                "Resource": [
+                    "arn:aws:iam::123456789012:role/ecs-task-execution-role"
+                ],
+                "Condition": {
+                    "StringLike": {
+                        "iam:PassedToService": "ecs-tasks.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+
+###### Granting secrets and parameters access to the Amazon ECS container agent
+
+The Amazon ECS task execution IAM role also needs permissions to access the secrets and parameter stores. Similar to the requirements of the EC2 instance profile role, the ECS container agent requires permission to pull the necessary Secrets Manager or Systems Manager resources. For more information, see [Secrets Manager or Systems Manager permissions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html#task-execution-secrets) in the _Amazon Elastic Container Service Developer Guide_
+
+###### Granting secrets and parameters access to the Elastic Beanstalk EC2 instances
+
+To support secrets configured as environment variables, you'll also need to add permissions to your EC2 instance profile. For more information, see [Fetching secrets and parameters to Elastic Beanstalk environment variables](./AWSHowTo.secrets.env-vars.html) and [Required IAM permissions for Secrets Manager](./AWSHowTo.secrets.IAM-permissions.html#AWSHowTo.secrets.IAM-permissions.secrets-manager).
+
+The following examples combine the previous `iam:PassRole` example with the examples provided in the referenced [Required IAM permissions for Secrets Manager](./AWSHowTo.secrets.IAM-permissions.html#AWSHowTo.secrets.IAM-permissions.secrets-manager). They add the permissions that the EC2 instances require to access the AWS Secrets Manager and AWS Systems Manager stores to retrieve the secrets and parameter data to initialize the Elastic Beanstalk environment variables that have been configured for secrets.
+
+###### Example Secrets Manager policy combined with `iam:PassRole` permission
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+           {
+                "Effect": "Allow",
+                "Action": "iam:PassRole",
+                "Resource": [
+                    "arn:aws:iam::123456789012:role/ecs-task-execution-role"
+                ],
+                "Condition": {
+                    "StringLike": {
+                        "iam:PassedToService": "ecs-tasks.amazonaws.com"
+                   }
+                } 
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "secretsmanager:GetSecretValue",
+                    "kms:Decrypt"          
+                ],
+                "Resource": [
+                    "arn:aws:secretsmanager:us-east-1:111122223333:secret:my-secret",
+                    "arn:aws:kms:us-east-1:111122223333:key/my-key"
+                ]
+            }
+        ]
+    }
+
+###### Example Systems Manager policy combined with `iam:PassRole` permission
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+           {
+                "Effect": "Allow",
+                "Action": "iam:PassRole",
+                "Resource": [
+                    "arn:aws:iam::123456789012:role/ecs-task-execution-role"
+                ],
+                "Condition": {
+                    "StringLike": {
+                        "iam:PassedToService": "ecs-tasks.amazonaws.com"
+                   }
+                } 
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "ssm:GetParameter",
+                    "kms:Decrypt"
+                ],
+                "Resource": [
+                    "arn:aws:ssm:us-east-1:111122223333:parameter/my-parameter",
+                    "arn:aws:kms:us-east-1:111122223333:key/my-key"
+                ]
+            }
+        ]
+    }
+
@@ -271 +394 @@ ECS managed Docker configuration for Elastic Beanstalk
-Container instance role
+Container managed policy and EC2 instance role