I tried out ECS_NO_ENVIRONMENT_SECRETS since 191 AWS Config managed rules were added
This page has been translated by machine translation. View original
Introduction
On July 9, 2026, 191 managed rules were added to AWS Config all at once.
The targets include more than 30 services such as ECS, Bedrock, RDS, and S3. Rules have been added to evaluate resource configurations from a security and compliance perspective.
In this article, we will enable ECS_NO_ENVIRONMENT_SECRETS from among the newly added rules and verify how ECS task definitions containing environment variables with specified key names are detected as NON_COMPLIANT. We will also pick up and introduce particularly useful rules from the 191 added.
Verification Details
Overview of the ECS_NO_ENVIRONMENT_SECRETS Rule
This rule checks whether container environment variable names in ECS task definitions match the key names specified in secretKeys. It does not analyze the actual values of environment variables to determine whether they are secrets.
| Item | Details |
|---|---|
| Rule Identifier | ECS_NO_ENVIRONMENT_SECRETS |
| Resource Type | AWS::ECS::TaskDefinition |
| Trigger | Configuration changes |
| Parameter | secretKeys (specify target key names in CSV format) |
For the parameter secretKeys, specify the key names you want to detect, separated by commas. If the key name of an environment variable directly specified in the container definition of a task definition matches secretKeys, it becomes NON_COMPLIANT.
Verification Procedure
Enabling the Config Managed Rule
Create the rule with put-config-rule.
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "ecs-no-environment-secrets",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ECS_NO_ENVIRONMENT_SECRETS"
},
"InputParameters": "{\"secretKeys\": \"AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,DB_PASSWORD\"}",
"Scope": {
"ComplianceResourceTypes": ["AWS::ECS::TaskDefinition"]
}
}'
Creating an ECS Task Definition That Becomes NON_COMPLIANT
Register a task definition that includes an environment variable named DB_PASSWORD, which is specified in secretKeys. Use a dummy string for the value for verification purposes.
aws ecs register-task-definition \
--family config-rule-test-secrets \
--network-mode awsvpc \
--requires-compatibilities FARGATE \
--cpu 256 --memory 512 \
--container-definitions '[{
"name": "app",
"image": "nginx:latest",
"memory": 256,
"essential": true,
"environment": [
{"name": "DB_PASSWORD", "value": "dummy-password-for-config-test"},
{"name": "APP_ENV", "value": "test"}
]
}]'
Since DB_PASSWORD matches secretKeys, this task definition becomes NON_COMPLIANT.
Checking Evaluation Results
Retrieve NON_COMPLIANT resources using get-compliance-details-by-config-rule.
aws configservice get-compliance-details-by-config-rule \
--config-rule-name ecs-no-environment-secrets \
--compliance-types NON_COMPLIANT
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"EvaluationResultQualifier": {
"ConfigRuleName": "ecs-no-environment-secrets",
"ResourceType": "AWS::ECS::TaskDefinition",
"ResourceId": "config-rule-test-secrets",
"EvaluationMode": "DETECTIVE"
},
"OrderingTimestamp": "2026-07-10T13:11:55.328000+00:00"
},
"ComplianceType": "NON_COMPLIANT",
"ResultRecordedTime": "2026-07-10T13:12:03.607000+00:00",
"ConfigRuleInvokedTime": "2026-07-10T13:12:03.368000+00:00",
"Annotation": "The following containers have secret key names defined in their environment variables: ['app']."
}
]
}
config-rule-test-secrets was detected as NON_COMPLIANT. The task definition family name is used for ResourceId (not the ARN). The Annotation indicates which container is in violation — in this case, the container named app. In this verification environment, evaluation completed approximately 8 seconds after registering the task definition (when recording frequency is CONTINUOUS).
Introduction of Useful Rules
From the 191 rules, here are the ones the author found particularly useful, picked up by category.
Containers (ECS)
In environments using ECS, the following rules are helpful for basic security hygiene checks.
| Rule | Overview |
|---|---|
ECS_NO_ENVIRONMENT_SECRETS |
Detects whether environment variables with key names specified in secretKeys are included in container definitions |
ECS_CONTAINERS_NONPRIVILEGED |
Detects containers running in privileged mode |
ECS_TASK_DEFINITION_LOG_CONFIGURATION |
Detects task definitions with no log configuration |
ECS_FARGATE_LATEST_PLATFORM_VERSION |
Checks whether the PlatformVersion of a Fargate service is LATEST or a specified latest version |
Storage & Data (S3 / RDS)
From a data protection perspective, rules are available to detect settings worth considering at creation time or settings to continuously verify.
| Rule | Overview |
|---|---|
S3_BUCKET_ACL_PROHIBITED |
Checks whether user access permissions via ACLs are configured on S3 buckets |
S3_ACCESS_POINT_IN_VPC_ONLY |
Checks whether S3 access points are restricted to within a VPC |
RDS_CLUSTER_ENCRYPTED_AT_REST |
Encryption at rest for RDS clusters (cannot be enabled directly on existing clusters, making early detection important) |
RDS_PROXY_TLS_ENCRYPTION |
Checks whether RDS Proxy enforces TLS for all connections |
Authentication & Authorization (IAM / Cognito / KMS)
Rules to detect misconfigurations in access control settings.
| Rule | Overview |
|---|---|
COGNITO_USER_POOL_MFA_ENABLED |
Checks whether MFA is enabled for Cognito user pools with a PASSWORD-only sign-in policy |
KMS_KEY_POLICY_NO_PUBLIC_ACCESS |
Checks whether KMS key policies contain public access |
IAM_EXTERNAL_ACCESS_ANALYZER_ENABLED |
Checks whether IAM Access Analyzer is enabled |
AI / ML (Amazon Bedrock / Bedrock AgentCore)
These are newly added rules for Amazon Bedrock and Bedrock AgentCore. Configuration items such as authentication, networking, and encryption can now be checked using built-in Config rules.
| Rule | Overview |
|---|---|
BEDROCKAGENTCORE_GATEWAY_AUTHORIZER_ENABLED |
Checks whether authentication is configured for the agent gateway |
BEDROCKAGENTCORE_RUNTIME_PRIVATE_NETWORK_REQUIRED |
Checks whether the runtime is restricted to a private network |
BEDROCK_DATA_SOURCE_ENCRYPTION_ENABLED |
Checks whether data sources are encrypted |
Logging & Auditing
Rules to verify the presence of log configurations. Useful for early detection of the risk of having no logs in the event of an incident.
| Rule | Overview |
|---|---|
CLOUDTRAIL_ALL_WRITE_S3_DATA_EVENT_CHECK |
Checks whether write data events for all current and future S3 buckets are recorded in a multi-region trail |
EC2_VPN_CONNECTION_LOGGING_ENABLED |
Checks whether logging is enabled for VPN connections |
CODEBUILD_PROJECT_LOGGING_ENABLED |
Checks whether logging is enabled for CodeBuild projects |
The full list of rules can be found in the official documentation.
Summary
We enabled ECS_NO_ENVIRONMENT_SECRETS and confirmed that ECS task definitions containing environment variables with key names specified in secretKeys are detected as NON_COMPLIANT. Since this rule evaluates environment variable names rather than their values, you specify the key names you want to detect in secretKeys.
With the addition of 191 rules this time, the range of services and configuration items that can be checked with AWS Config managed rules has expanded. Rules have also been added for Amazon Bedrock / Bedrock AgentCore to verify configurations such as authentication, networking, and encryption.
In particular, for rules with a Configuration changes trigger, the target resource type must be included in the AWS Config recording targets. Be sure to check the target resource types and trigger types for the rules you want to use in advance.
