Skip to main content

Exposing a sensitive environment variable in the configuration can lead to credentials leak

  • GG_ID: GG_IAC_0007
  • Severity: CRITICAL
  • Complexity: LOW
  • Categories: SECRET
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


The value of a sensitive environment variable is defined in plaintext.


The secret is exposed to anyone with access to the configuration and from the AWS Management Console.

Remediation guidelines#

Secrets should be pulled from a secure secret storage by the service using them.

External documentation#