Exposing a sensitive environment variable in the configuration can lead to credentials leak

• GG_ID: GG_IAC_0007
• Severity: CRITICAL
• Complexity: LOW
• Categories: SECRET
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

The value of a sensitive environment variable is defined in plaintext.

Impact

The secret is exposed to anyone with access to the configuration and from the AWS Management Console.

Remediation guidelines

Secrets should be pulled from a secure secret storage by the service using them.

External documentation

• AWS Secrets Manager
• HashiCorp Secrets Manager