By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Data Encryption at Rest/Transient

0

I have an ECS cluster responsible for deploying a Laravel application. The pipeline goes as follows:

  1. Commit and push code to GitHub
  2. The buildspec.dev.yml leverages Dockerfile (custom-built)
  3. The output image is pushed to ECR (private repository)
  4. The image artifact(s) are sent to S3
  5. The task definition pulls the latest image:revision and deploys it to a FARGATE container.

My question is about how to encrypt my sensitive information present in .env? Which entity should deal with decrypting the data?

Topics
Developer ToolsServerlessContainers
Tags
AWS CodeBuildAWS FargateContainersEncryption
Language
English
profile picture
Mohamad El Bohsaly
asked 2 months ago180 views
2 Answers
1

You should use AWS Secrets Manager or as a parameter in AWS Systems Manager Parameter Store to store the secret and pass the sensitive data. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html

profile pictureAWS
EXPERT
AWS-User-alantam
answered 2 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 2 months ago
1

Hello,

In your scenario, there are a few options to securely handle sensitive information present in your Laravel application's .env file. The approach you choose will depend on your specific requirements. Here are some common strategies:

  1. AWS Secrets Manager: AWS Secrets Manager is a service provided by AWS that securely stores and manages your sensitive data, such as API keys, database credentials, and other secrets. You can create secrets for your .env file and reference them in your ECS task definition. The ECS task will then retrieve the secret during container startup and populate the environment variables. This approach separates your sensitive data from your application code and allows you to rotate secrets without modifying your codebase. Keep in mind that you need to set the permissions on Task Execution role to be able to retrieve the values from Secret Manager.

  2. AWS Systems Manager Parameter Store: Similar to Secrets Manager, the Parameter Store service allows you to store and retrieve sensitive data. However, Parameter Store is primarily designed for configuration data and doesn't provide some of the advanced features of Secrets Manager, such as automatic rotation and integration with other AWS services. You can find more information on how to use Parameter Store to configure your laravel env on this document.

Here's a summary on you can implement this approach using AWS Secrets Manager:

  1. Store your sensitive data (e.g., database credentials, API keys) as a secret in AWS Secrets Manager.
  2. In your ECS task definition, reference the secret using the appropriate syntax (e.g., valueFrom field for environment variables).
  3. Add permissions to your Task Execution Role.
  4. During container startup, ECS will retrieve the secret from Secrets Manager and populate the corresponding environment variables in your Laravel application.

By using AWS Secrets Manager, you can centrally manage and rotate your sensitive data without modifying your application code or task definitions. Additionally, Secrets Manager provides auditing and access control capabilities to ensure that your secrets are accessed only by authorized entities.

profile pictureAWS
Henrique Santana
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content