AWS elasticbeanstalk medium security documentation change
Summary
Updated documentation to include AWS Secrets Manager as an additional option for storing Docker repository credentials alongside SSM Parameter Store. Enhanced instructions for secure credential retrieval using SecureString parameters and Secrets Manager secrets.
Security assessment
The change introduces AWS Secrets Manager as a secure alternative for credential storage and updates SSM Parameter Store examples to use SecureString type (encrypted parameters) instead of plaintext Strings. This directly improves security by promoting encrypted secret storage and broader secret management best practices. The documentation now explicitly guides users toward services designed for secure credential handling.
Diff
diff --git a/elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md b/elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md index 418720e80..27d9426fc 100644 --- a//elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md +++ b//elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md @@ -5 +5 @@ -Amazon ECR repositorySSM Parameter StoreDockerrun.aws.json file +Amazon ECR repositorySSM Parameter Store or AWS Secrets ManagerDockerrun.aws.json file @@ -77 +77 @@ For the [Docker platform](./single-container-docker-configuration.html) refer to -## Using the AWS Systems Manager (SSM) Parameter Store +## Using AWS Systems Manager (SSM) Parameter Store or AWS Secrets Manager @@ -79 +79 @@ For the [Docker platform](./single-container-docker-configuration.html) refer to -You can configure Elastic Beanstalk to log in to your private repository before it starts the deployment process. This enables Elastic Beanstalk to access the images from the repository and deploy these images to your Elastic Beanstalk environment. +Configure Elastic Beanstalk to authenticate with your private repository before deployment to enable access to your container images. @@ -81 +81 @@ You can configure Elastic Beanstalk to log in to your private repository before -This configuration initiates events in the _prebuild_ phase of the Elastic Beanstalk deployment process. You set this up in the [.ebextentions](./ebextensions.html) configuration directory. The configuration uses [platform hook](./platforms-linux-extend.hooks.html) scripts that call **docker login** to authenticate to the online registry that hosts the private repository. The platform hook scripts securely read the credential data from Elastic Beanstalk environment variables that are initialized by a configuration that sources the values from AWS Systems Manager Parameter Store. Your Elastic Beanstalk Docker and ECS managed Docker platforms must be a version released on or after [March 26, 2025](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2025-03-26-windows.html) to support this [environment variable configuration](./AWSHowTo.secrets.env-vars.html). A detailed breakdown of these configuration steps follows. +This approach uses the _prebuild_ phase of the Elastic Beanstalk deployment process with two components: @@ -83 +83,10 @@ This configuration initiates events in the _prebuild_ phase of the Elastic Beans -###### To configure Elastic Beanstalk to authenticate to your private repository with AWS Systems Manager Parameter Store + * [ebextensions](./ebextensions.html) to define environment variables that store repository credentials + + * [platform hook scripts](./platforms-linux-extend.hooks.html) to execute **docker login** before pulling images + + + + +The hook scripts securely retrieve credentials from environment variables that are populated from AWS Systems Manager Parameter Store or AWS Secrets Manager. This feature requires Elastic Beanstalk Docker and ECS managed Docker platforms released on or after [March 26, 2025](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2025-03-26-windows.html). For more details, see [environment variable configuration](./AWSHowTo.secrets.env-vars.html). + +###### To configure Elastic Beanstalk to authenticate to your private repository with AWS Systems Manager Parameter Store or AWS Secrets Manager @@ -87 +96 @@ This configuration initiates events in the _prebuild_ phase of the Elastic Beans -You need to set up your credentials in the AWS Systems Manager Parameter Store and also set up required IAM permissions to complete these steps. For more information, see [Prerequisites to configure secrets as environment variables](./AWSHowTo.secrets.env-vars.html#AWSHowTo.secrets.configure-env-vars.prerequisites). +Before proceeding, ensure you have set up your credentials in AWS Systems Manager Parameter Store or AWS Secrets Manager and configured the necessary IAM permissions. See [Prerequisites to configure secrets as environment variables](./AWSHowTo.secrets.env-vars.html#AWSHowTo.secrets.configure-env-vars.prerequisites) for details. @@ -89 +98 @@ You need to set up your credentials in the AWS Systems Manager Parameter Store a - 1. Create your `.ebextensions` directory structure as follows. + 1. Create the following directory structure for your project: @@ -100 +109 @@ You need to set up your credentials in the AWS Systems Manager Parameter Store a - ├── docker-compose.yml + ├── Dockerfile @@ -102 +111 @@ You need to set up your credentials in the AWS Systems Manager Parameter Store a - 2. Use the [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started.html) Parameter Store to save the credentials of your private repository. Run the following AWS CLI Systems Manager **put-parameter** command to create these in the Parameter Store. + 2. Use [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started.html) Parameter Store or [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) to save the credentials of your private repository. This example shows both AWS Systems Manager Parameter Store and AWS Secrets Manager but you can choose to use just one of these services. @@ -104,2 +113,2 @@ You need to set up your credentials in the AWS Systems Manager Parameter Store a - aws ssm put-parameter --name USER --type String --value "username" - aws ssm put-parameter --name PASSWD --type String --value "passwd" + aws ssm put-parameter --name USER --type SecureString --value "username" + aws secretsmanager create-secret --name PASSWD --secret-string "passwd" @@ -111 +120 @@ You need to set up your credentials in the AWS Systems Manager Parameter Store a -`USER` and `PASSWD` in the script must match the same strings that are used in the preceding **ssm put-parameter** commands. +Ensure the variable names `USER` and `PASSWD` match the parameter names used in the [put-parameter](https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html) and [create-secret](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/create-secret.html) commands. @@ -128 +137 @@ You need to set up your credentials in the AWS Systems Manager Parameter Store a -The `01login.sh` references the Elastic Beanstalk environment variables that you configured in **Step 3** to store the repository credentials, and it pipes the password directly to the **docker login** command in the `stdin` input stream. The `--password-stdin` option uses the input stream, preventing the password from persisting in the shell history or audit logs. For more information about authentication with the Docker command line interface, see [docker login](https://docs.docker.com/engine/reference/commandline/login/) on the Docker documentation website. +The `01login.sh` script uses the environment variables configured in **Step 3** and securely passes the password to **docker login** via `stdin`. For more information about Docker authentication, see [docker login](https://docs.docker.com/engine/reference/commandline/login/) in the Docker documentation. @@ -132,2 +140,0 @@ The `01login.sh` references the Elastic Beanstalk environment variables that you - * All script files must have execute permission. Use **chmod +x** to set execute permission on your hook files. For all Amazon Linux 2 based platforms versions that were released on or after April 29, 2022, Elastic Beanstalk automatically grants execute permissions to all of the platform hook scripts. In this case you don't have to manually grant execute permissions. For a list of these platform versions, refer to the [April 29, 2022 - Linux platform ](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2022-04-29-linux.html#release-2022-04-29-linux.platforms) release notes in the _AWS Elastic Beanstalk Release Notes Guide_. - @@ -141 +148 @@ The `01login.sh` references the Elastic Beanstalk environment variables that you -After Elastic Beanstalk can authenticate with the online registry that hosts the private repository, your images can be deployed and pulled. +Once authentication is configured, Elastic Beanstalk can pull and deploy images from your private repository.