Uplift password management for ECS tasks to pass in secrets using AWS Secrets Manager

[matthew-a-carr]

Overview

The DB password for the RDS PostgreSQL instance is passed in using GitHub secrets, which will ensure that the secrets are encrypted before they reach the runner but is not optimal as it will mean that the secrets exposed to anyone who has access to the ECS task definition within the AWS console.

A more secure solution would be to look at storing the secrets in AWS Secrets Manager and injecting those using the secrets key in the ECS task definition. See link below.

Links

• https://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/

[matthew-a-carr]

This has been done as part of https://github.com/mcagov/beacons-integration/pull/23

@Ninamma FYI

[matthew-a-carr]

Closed as the secrets for the ECS tasks are passed in using secrets manager arns