AWS Security ChangesHomeSearch

AWS elasticbeanstalk documentation change

Service: elasticbeanstalk · 2025-04-01 · Documentation high

File: elasticbeanstalk/latest/dg/security-best-practices.md

Summary

Added new section 'Protect sensitive application data' with recommendations for using Secrets Manager/Parameter Store

Security assessment

Proactive security guidance about sensitive data protection rather than addressing a known vulnerability

Diff

diff --git a/elasticbeanstalk/latest/dg/security-best-practices.md b/elasticbeanstalk/latest/dg/security-best-practices.md
index 9c903dfe0..600696eef 100644
--- a/elasticbeanstalk/latest/dg/security-best-practices.md
+++ b/elasticbeanstalk/latest/dg/security-best-practices.md
@@ -22,0 +23,13 @@ Your application might not require all the permissions in our managed policies.
+### Protect sensitive application data
+
+When your application needs to access sensitive information like credentials, API keys, or configuration data, follow these practices to maintain security:
+
+  * Retrieve sensitive data directly from AWS Secrets Manager or AWS Systems Manager Parameter Store using their respective SDKs or APIs in your application code. This provides the most secure and flexible way to access sensitive information.
+
+  * If you pass sensitive data from AWS Secrets Manager or AWS Systems Manager Parameter Store as environment variables (see [Fetch secrets to environment variables](./AWSHowTo.secrets.env-vars.html)), carefully restrict access to EC2 key pairs and configure appropriate IAM roles with least-privilege permissions for your instances. 
+
+  * Never print, log, or expose sensitive data in your application code, as these values could end up in log files or error messages that might be visible to unauthorized users.
+
+
+
+