Best practice - how to pass SES IAM User credentials to an Fargate Task?

Question

I 've got a question regarding the handling of "hardcoded" secrets in AWS. Here is my setup:

We are running a Fargate cluster consisting of 3 services. One of the services (The backend) needs credentials to our SES account (mail sending) and S3 bucket (File Storage). At the moment we use the AWS secrets manager which holds the credentials of the ses-smtp user and the s3 user and injects the secret values as environment variables at the starup of the container. The entire stack (Except the SES which is in an other region) is created using cloud formation templates. The required secrets are also created by a template. And there is my "problem" - at the moment the secrets template contains the hardcoded SES and S3 credentials which is bad since the template gets pushed to the templates bucket (it's not public but anyways) and it could potentially got committed to version control where it will be exposed to anyone who has reading access to the project. The question is - what is the best practice to pass the SES and S3 Credentials to the container without exposing them at any place?

Thanks in advance, Al

Answer 1

Use IAM for SES and S3 Access

Your ECS cluster has a task role. It is assumed by your underlining containers, and those will have all of the access defined in your role, policies attached to it.

AWS services access

For your SES and S3 access create policies with restricted access and attach those to the role.

Regular credentials

For some plain text credentials, I would recommend creating those in the parameter store and map those into the container in your task-definition. Pass secrets safely. You should not create your parameter store secrets in the cloud formation template, it is better to add those manually, and reference from where you need those.