AWS Security ChangesHomeSearch

AWS elasticbeanstalk documentation change

Service: elasticbeanstalk · 2026-01-16 · Documentation low

File: elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md

Summary

Updated documentation to exclusively use AWS Secrets Manager for Docker repository authentication, removing support for AWS Systems Manager (SSM) Parameter Store. Added JSON secret format requirements and updated platform version dependencies.

Security assessment

The change promotes using AWS Secrets Manager (designed for secrets) over SSM Parameter Store (general-purpose parameters). While this improves security posture by encouraging best practices for secret management, there's no evidence of a specific security vulnerability being addressed. The update adds documentation about secure credential handling through environment variables and JSON secret formats.

Diff

diff --git a/elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md b/elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md
index 47651de62..6323c1d84 100644
--- a//elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md
+++ b//elasticbeanstalk/latest/dg/docker-configuration.remote-repo.md
@@ -5 +5 @@
-Amazon ECR repositorySSM Parameter Store or AWS Secrets ManagerDockerrun.aws.json fileAmazon ECR Public images
+Amazon ECR repositoryAWS Secrets ManagerDockerrun.aws.json fileAmazon ECR Public images
@@ -77 +77 @@ For the [Docker platform](./single-container-docker-configuration.html) refer to
-## Using AWS Systems Manager (SSM) Parameter Store or AWS Secrets Manager
+## Using AWS Secrets Manager
@@ -90 +90 @@ This approach uses the _prebuild_ phase of the Elastic Beanstalk deployment proc
-The hook scripts securely retrieve credentials from environment variables that are populated from AWS Systems Manager Parameter Store or AWS Secrets Manager. This feature requires Elastic Beanstalk Docker and ECS managed Docker platforms released on or after [March 26, 2025](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2025-03-26-windows.html). For more details, see [environment variable configuration](./AWSHowTo.secrets.env-vars.html).
+The hook scripts retrieve a username and password from environment variables that are populated from a single AWS Secrets Manager secret in JSON format. This feature requires Elastic Beanstalk Docker and ECS managed Docker platforms released on or after [January 13, 2026](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2026-01-13-al2023.html). For more details, see [environment secrets](./AWSHowTo.secrets.env-vars.html).
@@ -92 +92 @@ The hook scripts securely retrieve credentials from environment variables that a
-###### To configure Elastic Beanstalk to authenticate to your private repository with AWS Systems Manager Parameter Store or AWS Secrets Manager
+###### To configure Elastic Beanstalk to authenticate to your private repository with AWS Secrets Manager
@@ -96 +96 @@ The hook scripts securely retrieve credentials from environment variables that a
-Before proceeding, ensure you have set up your credentials in AWS Systems Manager Parameter Store or AWS Secrets Manager and configured the necessary IAM permissions. See [Prerequisites to configure secrets as environment variables](./AWSHowTo.secrets.env-vars.html#AWSHowTo.secrets.configure-env-vars.prerequisites) for details. 
+Before proceeding, ensure you have set up your credentials in AWS Secrets Manager and configured the necessary IAM permissions. See [Prerequisites to configure secrets as environment variables](./AWSHowTo.secrets.env-vars.html#AWSHowTo.secrets.configure-env-vars.prerequisites) for details. 
@@ -111 +111 @@ Before proceeding, ensure you have set up your credentials in AWS Systems Manage
-  2. Use [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started.html) Parameter Store or [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) to save the credentials of your private repository. This example shows both AWS Systems Manager Parameter Store and AWS Secrets Manager but you can choose to use just one of these services.
+  2. Use [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) to save the credentials of your private repository as a JSON-formatted secret.
@@ -113,2 +113,2 @@ Before proceeding, ensure you have set up your credentials in AWS Systems Manage
-        aws ssm put-parameter --name USER --type SecureString --value "username"
-    aws secretsmanager create-secret --name PASSWD --secret-string "passwd"
+        aws secretsmanager create-secret --name repo-credentials \
+        --secret-string '{"username":"myuser","password":"mypassword"}'
@@ -116,5 +116 @@ Before proceeding, ensure you have set up your credentials in AWS Systems Manage
-  3. Create the following `env.config` file and place it in the `.ebextensions` directory as shown in the preceding directory structure. This configuration uses the [aws:elasticbeanstalk:application:environmentsecrets](./command-options-general.html#command-options-general-elasticbeanstalk-application-environmentsecrets) namespace to initialize the `USER` and `PASSWD` Elastic Beanstalk environment variables to the values that are stored in the Systems Manager Parameter Store.
-
-###### Note
-
-Ensure the variable names `USER` and `PASSWD` match the parameter names used in the [put-parameter](https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html) and [create-secret](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/create-secret.html) commands.
+  3. Create the following `env.config` file and place it in the `.ebextensions` directory as shown in the preceding directory structure. This configuration uses the [aws:elasticbeanstalk:application:environmentsecrets](./command-options-general.html#command-options-general-elasticbeanstalk-application-environmentsecrets) namespace with [JSON key extraction](./AWSHowTo.secrets.env-vars.html#AWSHowTo.secrets.json) to initialize the `USER` and `PASSWD` Elastic Beanstalk environment variables from individual fields in the secret.
@@ -124,2 +120,2 @@ Ensure the variable names `USER` and `PASSWD` match the parameter names used in
-        USER: arn:aws:ssm:us-east-1:111122223333:parameter/user
-        PASSWD: arn:aws:secretsmanager:us-east-1:111122223333:passwd
+        USER: arn:aws:secretsmanager:us-east-1:111122223333:secret:repo-credentials-AbCd12:username
+        PASSWD: arn:aws:secretsmanager:us-east-1:111122223333:secret:repo-credentials-AbCd12:password
@@ -127 +123 @@ Ensure the variable names `USER` and `PASSWD` match the parameter names used in
-  4. Create the following `01login.sh` script file and place it in the following directories (also shown in the preceding directory structure):
+  4. Create the following `01login.sh` script file and place it in the following locations (also shown in the preceding directory structure):
@@ -129 +125 @@ Ensure the variable names `USER` and `PASSWD` match the parameter names used in
-     * `.platform/confighooks/prebuild`
+     * `.platform/confighooks/prebuild/01login.sh`
@@ -131 +127 @@ Ensure the variable names `USER` and `PASSWD` match the parameter names used in
-     * `.platform/hooks/prebuild`
+     * `.platform/hooks/prebuild/01login.sh`
@@ -133 +128,0 @@ Ensure the variable names `USER` and `PASSWD` match the parameter names used in
-        ### example 01login.sh
@@ -137 +132 @@ Ensure the variable names `USER` and `PASSWD` match the parameter names used in
-The `01login.sh` script uses the environment variables configured in **Step 3** and securely passes the password to **docker login** via `stdin`. For more information about Docker authentication, see [docker login](https://docs.docker.com/engine/reference/commandline/login/) in the Docker documentation.
+The `01login.sh` script uses the environment variables configured in **Step 3** and passes the password to **docker login** via `stdin`. For more information about Docker authentication, see [docker login](https://docs.docker.com/engine/reference/commandline/login/) in the Docker documentation.
@@ -141 +136 @@ The `01login.sh` script uses the environment variables configured in **Step 3**
-     * Hook files can be either binary files or script files starting with a **#!** line containing their interpreter path, such as **#!/bin/bash**.
+     * The ECS managed Docker platform uses the native ECS syntax for referencing secrets. For more information, see [Pass Secrets Manager secrets through Amazon ECS environment variables](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html) in the _Amazon Elastic Container Service Developer Guide_.
@@ -143 +138 @@ The `01login.sh` script uses the environment variables configured in **Step 3**
-     * For more information, see [Platform hooks](./platforms-linux-extend.hooks.html) in _Extending Elastic Beanstalk Linux platforms_.
+     * For more information about platform hooks, see [Platform hooks](./platforms-linux-extend.hooks.html) in _Extending Elastic Beanstalk Linux platforms_.