The latest articles on DEV Community by josepraveen (@cloudsecops). https://dev.to/cloudsecops https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1574695%2F08254b84-0d0f-4d6e-bf5a-8edb4d10b648.gif https://dev.to/cloudsecops en josepraveen Tue, 26 May 2026 14:16:39 +0000 https://dev.to/cloudsecops/using-cfn-lint-to-detect-cloudformation-misconfigurations-in-aws-codepipeline-7b7 https://dev.to/cloudsecops/using-cfn-lint-to-detect-cloudformation-misconfigurations-in-aws-codepipeline-7b7 <p>In this tutorial, you'll learn how to integrate cfn-lint into an AWS CI/CD workflow using Amazon Web Services CodePipeline and CodeBuild. By the end, you'll have a governance stage in your pipeline that automatically validates CloudFormation templates before deployment.</p> <p>We’ll cover:</p> <ul> <li>Creating a compliant CloudFormation template</li> <li>Validating templates locally with cfn-lint</li> <li>Verifying the governance stage inside CodePipeline</li> </ul> <h2> Why Use cfn-lint? </h2> <p>cfn-lint is an open-source tool that validates AWS CloudFormation templates against AWS resource specifications and best practices.</p> <p>It helps detect:</p> <ul> <li>Syntax issues</li> <li>Invalid resource properties</li> <li>Misconfigured IAM permissions</li> <li>Incorrect parameter usage</li> <li>Security-related template mistakes</li> </ul> <p>Clone the repository used in this lab:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> <span class="o">&amp;&amp;</span> git clone https://github.com/pluralsight-cloud/Path-Proactive-Security-in-Your-AWS-CI-CD-Pipeline.git </code></pre> </div> <p>Navigate to the lab directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>Path-Proactive-Security-in-Your-AWS-CI-CD-Pipeline/4-lab-using-static-analysis-to-detect-cloudformation-misconfigurations </code></pre> </div> <h1> Objective 1: Introduce a Compliant Template </h1> <p>First, verify the pre-existing AWS resources.</p> <h2> Verify the S3 Bucket </h2> <p>Open Amazon S3 and locate the bucket that starts with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>governance-lab-artifacts- </code></pre> </div> <p>You should notice:</p> <ul> <li>The bucket is empty</li> <li>Versioning is enabled</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftml8aa06wzdualyr3wrw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftml8aa06wzdualyr3wrw.png" alt="s3 bucket" width="800" height="292"></a></p> <p>Save the bucket name for later.</p> <h2> Verify the Pipeline </h2> <p>Open AWS CodePipeline and locate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>governance-pipeline </code></pre> </div> <p>The pipeline should currently be in a failed state.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft6vqa0qqes36gf1hvx79.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft6vqa0qqes36gf1hvx79.png" alt="codepipline failed" width="800" height="178"></a></p> <p>Verify the stages exist in this order:</p> <ol> <li>Source</li> <li>GovernanceLint</li> <li>Deploy</li> </ol> <h2> Update the CloudFormation Template </h2> <p>Open the template file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vim infra/template.yml </code></pre> </div> <p>Uncomment the IAM role section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight viml"><code><span class="p">:</span><span class="m">46</span><span class="p">,</span>$s<span class="sr">/# /</span>/<span class="k">g</span> </code></pre> </div> <p>Alternatively, paste the following IAM role resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">NewRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="s">governance-lab-test-role</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">ec2.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">compliant-s3-limited-access</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">s3:GetObject</span> <span class="pi">-</span> <span class="s">s3:ListBucket</span> <span class="pi">-</span> <span class="s">s3:PutObject</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:s3:::governance-lab-artifacts-${AWS::AccountId}-${AWS::Region}-an/*"</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:s3:::governance-lab-artifacts-${AWS::AccountId}-${AWS::Region}-an"</span> </code></pre> </div> <p>Save and exit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight viml"><code><span class="p">:</span><span class="k">wq</span><span class="p">!</span> </code></pre> </div> <p>This IAM role allows EC2 instances to assume the role and access specific S3 bucket actions with limited permissions.</p> <h1> Objective 2: Validate Templates Locally </h1> <p>Before integrating linting into the pipeline, validate the template locally.</p> <h2> Install cfn-lint </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>cfn-lint pyyaml boto3 </code></pre> </div> <p>Verify installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cfn-lint <span class="nt">--version</span> </code></pre> </div> <p>Example output:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5nynzzg4ekor5gcyyom7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5nynzzg4ekor5gcyyom7.png" alt="cfn-lint version" width="800" height="207"></a></p> <h2> Lint the Template </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cfn-lint <span class="nt">-f</span> pretty infra/template.yml </code></pre> </div> <p>If the template is valid, you'll see output indicating:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0 errors </code></pre> </div> <h1> Objective 3: Update the CodeBuild Configuration </h1> <p>Next, integrate cfn-lint into the pipeline’s governance stage.</p> <p>Open the buildspec file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vim configuration/buildspec.yml </code></pre> </div> <p>Delete the existing content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight viml"><code><span class="p">:</span><span class="m">1</span><span class="p">,</span><span class="m">20</span><span class="k">d</span> </code></pre> </div> <p>Uncomment the remaining lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight viml"><code><span class="p">:</span><span class="m">1</span><span class="p">,</span>$s<span class="sr">/# /</span>/<span class="k">g</span> </code></pre> </div> <h1> What This BuildSpec Does </h1> <p>The updated buildspec introduces two phases:</p> <h2> Install Phase </h2> <p>Installs:</p> <ul> <li>cfn-lint</li> <li>PyYAML</li> <li>boto3</li> </ul> <h2> Build Phase </h2> <p>Runs lint validation against every YAML template inside the infra directory.</p> <p>If linting fails, the pipeline stops immediately before deployment.</p> <p>This creates an automated governance gate inside the CI/CD process.</p> <h1> Objective 4: Verify the Governance Stage </h1> <p>Now upload the updated artifacts to trigger the pipeline.</p> <h2> Zip the Project Files </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/Path-Proactive-Security-in-Your-AWS-CI-CD-Pipeline/4-lab-using-static-analysis-to-detect-cloudformation-misconfigurations zip <span class="nt">-r</span> artifacts.zip infra configuration </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9m2m9a0kj0re557gea4n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9m2m9a0kj0re557gea4n.png" alt="zip file" width="798" height="84"></a></p> <h2> Upload to Amazon S3 </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws s3 <span class="nb">cp </span>artifacts.zip s3://&lt;YOUR_BUCKET_NAME_GOES_HERE&gt;/ </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe17z1j6868s362jmuaxw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe17z1j6868s362jmuaxw.png" alt="upload file" width="797" height="124"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7jobp8i4qi3udk6hdd1d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7jobp8i4qi3udk6hdd1d.png" alt="upload successful" width="800" height="292"></a></p> <h1> Verify Pipeline Execution </h1> <p>Navigate back to AWS CodePipeline and monitor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>governance-pipeline </code></pre> </div> <p>You should observe:</p> <ul> <li>GovernanceLint stage executes successfully</li> <li>Deploy stage completes successfully</li> <li>CloudFormation stack deployment succeeds</li> </ul> <p>Inside the GovernanceLint logs, you'll see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cfn-lint <span class="nt">--version</span> cfn-lint <span class="nt">-f</span> pretty infra/<span class="k">**</span>/<span class="k">*</span>.yml </code></pre> </div> <p>with no validation errors.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0p8rds7vf28ms9ryccj6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0p8rds7vf28ms9ryccj6.png" alt="logs" width="800" height="311"></a></p> <h1> Verify CloudFormation Resources </h1> <p>Open the deployed CloudFormation stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>governance-lab-deploy </code></pre> </div> <p>Under the Resources tab, you should see:</p> <ul> <li>AppSecurityGroup</li> <li>NewRole</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2odbn93blp179yao6q5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2odbn93blp179yao6q5.png" alt="role" width="799" height="293"></a></p> <p>This confirms the compliant template passed validation and deployed successfully.</p> <h1> Testing a Failure Scenario (Optional) </h1> <p>To test the governance controls, intentionally introduce a template error.</p> <p>Update:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span> </code></pre> </div> <p>to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">FromPort</span><span class="pi">:</span> <span class="s">HTTPS</span> </code></pre> </div> <p>Rebuild and upload the artifacts again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>zip <span class="nt">-r</span> artifacts.zip infra configuration aws s3 <span class="nb">cp </span>artifacts.zip s3://&lt;YOUR_BUCKET_NAME_GOES_HERE&gt;/ </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faz4jg82mldf1hd9vx9uu.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faz4jg82mldf1hd9vx9uu.gif" alt="demo" width="599" height="239"></a></p> <p>This time, the GovernanceLint stage should fail, and CodeBuild logs will display the cfn-lint validation error.</p> <p>This proves the governance stage is actively blocking malformed infrastructure templates from deployment.</p> <h1> Benefits of Adding cfn-lint to AWS CodePipeline </h1> <p>Integrating cfn-lint into your CI/CD pipeline provides several advantages:</p> <ul> <li>Early detection of template errors</li> <li>Improved infrastructure security</li> <li>Faster deployment troubleshooting</li> <li>Consistent infrastructure governance</li> <li>Reduced production deployment failures</li> </ul> <p>Most importantly, it shifts validation left — catching issues before they ever reach AWS CloudFormation deployment stages.</p> <p><a href="https://www.pluralsight.com/labs/aws/using-static-analysis-to-detect-cloudformation-misconfigurations" rel="noopener noreferrer">https://www.pluralsight.com/labs/aws/using-static-analysis-to-detect-cloudformation-misconfigurations</a></p> security aws devops cicd josepraveen Tue, 26 May 2026 07:36:33 +0000 https://dev.to/cloudsecops/deploy-a-secure-containerized-app-on-amazon-ecs-fargate-using-ecr-and-secrets-manager-57m3 https://dev.to/cloudsecops/deploy-a-secure-containerized-app-on-amazon-ecs-fargate-using-ecr-and-secrets-manager-57m3 <h1> Deploy a Secure Containerized App on Amazon ECS Fargate Using ECR and Secrets Manager </h1> <p>In this hands-on guide, you'll learn how to:</p> <ul> <li>✅ Build and containerize a Python application</li> <li>✅ Push Docker images to Amazon ECR</li> <li>✅ Deploy containers on ECS Fargate</li> <li>✅ Configure least-privilege IAM roles</li> <li>✅ Inject secrets securely using AWS Secrets Manager</li> <li>✅ Verify logs using CloudWatch</li> </ul> <p>By the end, you'll have a production-style ECS deployment pipeline running entirely on AWS.</p> <h1> 🚀 Architecture Overview </h1> <p>We'll use the following AWS services:</p> <ul> <li> <strong>Amazon ECR</strong> → Store container images</li> <li> <strong>Amazon ECS Fargate</strong> → Run serverless containers</li> <li> <strong>AWS IAM</strong> → Secure task permissions</li> <li> <strong>AWS Secrets Manager</strong> → Store secrets securely</li> <li> <strong>Amazon CloudWatch Logs</strong> → Monitor container logs</li> </ul> <h1> Step 1 — Clone the Application Repository </h1> <p>Open <strong>AWS CloudShell</strong> from the AWS Console and clone the repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/pluralsight-cloud/Lab-Secure-Container-Deployment-on-ECS-Fargate.git <span class="nb">cd </span>Lab-Secure-Container-Deployment-on-ECS-Fargate </code></pre> </div> <p>Inspect the application files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>app.py <span class="nb">cat </span>Dockerfile </code></pre> </div> <h1> Step 2 — Authenticate Docker to Amazon ECR </h1> <p>Set your AWS account variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">ACCOUNT_ID</span><span class="o">=</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--query</span> Account <span class="nt">--output</span> text<span class="si">)</span> <span class="nv">REGION</span><span class="o">=</span>us-east-1 </code></pre> </div> <p>Authenticate Docker with ECR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr get-login-password <span class="nt">--region</span> <span class="nv">$REGION</span> | docker login <span class="se">\</span> <span class="nt">--username</span> AWS <span class="se">\</span> <span class="nt">--password-stdin</span> <span class="se">\</span> <span class="nv">$ACCOUNT_ID</span>.dkr.ecr.<span class="nv">$REGION</span>.amazonaws.com </code></pre> </div> <p>You should see:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F420066irq2mbogkat5h8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F420066irq2mbogkat5h8.png" alt=" " width="800" height="76"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Login Succeeded </code></pre> </div> <h1> Step 3 — Build and Push the Docker Image </h1> <p>Build the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> secure-fargate-app <span class="nb">.</span> </code></pre> </div> <blockquote> <p>If you're using Apple Silicon (M1/M2/M3), use:<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">--platform</span> linux/amd64 <span class="nt">-t</span> secure-fargate-app <span class="nb">.</span> </code></pre> </div> <p>Tag the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker tag secure-fargate-app:latest <span class="se">\</span> <span class="nv">$ACCOUNT_ID</span>.dkr.ecr.<span class="nv">$REGION</span>.amazonaws.com/secure-fargate-app:latest </code></pre> </div> <p>Push the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push <span class="se">\</span> <span class="nv">$ACCOUNT_ID</span>.dkr.ecr.<span class="nv">$REGION</span>.amazonaws.com/secure-fargate-app:latest </code></pre> </div> <h1> Step 4 — Verify the Image in Amazon ECR </h1> <p>Navigate to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Amazon ECR → Repositories → secure-fargate-app </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2wp8fxy464sf7fnor6mb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2wp8fxy464sf7fnor6mb.png" alt=" " width="800" height="203"></a></p> <h1> Step 5 — Create the ECS Task Execution Role </h1> <p>Go to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM → Roles → Create Role </code></pre> </div> <p>Choose:</p> <ul> <li>Trusted entity: <strong>AWS Service</strong> </li> <li>Use case: <strong>Elastic Container Service Task</strong> </li> </ul> <p>Attach the policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AmazonECSTaskExecutionRolePolicy </code></pre> </div> <p>Role name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ecsTaskExecutionRole </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffbfhj3f3gdp01z8f0dm6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffbfhj3f3gdp01z8f0dm6.png" alt=" " width="798" height="239"></a></p> <h1> Step 6 — Allow ECS to Read Secrets Manager </h1> <p>Add an inline policy to the execution role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secretsmanager:GetSecretValue"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Policy name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SecretsManagerReadAccess </code></pre> </div> <blockquote> <p>In production, always scope permissions to specific secret ARNs.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwitg22o05rm4140cdb46.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwitg22o05rm4140cdb46.png" alt=" " width="799" height="238"></a></p> <h1> Step 7 — Create the ECS Task Role </h1> <p>Create another IAM role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ecsTaskRole </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhok5a0um5ucu2ruy6tr2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhok5a0um5ucu2ruy6tr2.png" alt=" " width="800" height="249"></a></p> <p>This role intentionally has <strong>no permissions</strong> because the application does not call AWS services directly.</p> <p>This is a great example of the <strong>principle of least privilege</strong>.</p> <h1> Step 8 — Create the ECS Task Definition </h1> <p>Go to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Amazon ECS → Task Definitions → Create with JSON </code></pre> </div> <p>Paste the following JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secure-fargate-app"</span><span class="p">,</span><span class="w"> </span><span class="nl">"networkMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awsvpc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requiresCompatibilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">],</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"512"</span><span class="p">,</span><span class="w"> </span><span class="nl">"executionRoleArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"taskRoleArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::ACCOUNT_ID:role/ecsTaskRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerDefinitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secure-fargate-app"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/secure-fargate-app:latest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"essential"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"secrets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_CREDENTIALS"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:prod/db-credentials"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ecs/secure-fargate-app"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Replace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ACCOUNT_ID </code></pre> </div> <p>with your actual AWS account ID.</p> <h1> 🔐 Why Secrets Manager Matters </h1> <p>Instead of hardcoding secrets inside:</p> <ul> <li>Docker images</li> <li>Environment files</li> <li>Git repositories</li> </ul> <p>ECS securely injects secrets at runtime using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:secretsmanager:..."</span><span class="w"> </span></code></pre> </div> <p>This keeps credentials out of source control and container layers.</p> <h1> Step 9 — Deploy the ECS Fargate Service </h1> <p>Go to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Amazon ECS → Clusters → lab-cluster → Services → Create </code></pre> </div> <p>Use the following settings:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Launch Type</td> <td>Fargate</td> </tr> <tr> <td>Task Definition</td> <td>secure-fargate-app</td> </tr> <tr> <td>Service Name</td> <td>secure-fargate-svc</td> </tr> <tr> <td>Platform Version</td> <td>LATEST</td> </tr> </tbody> </table></div> <h3> Networking </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>VPC</td> <td>lab-vpc</td> </tr> <tr> <td>Subnets</td> <td>lab-public-subnet-1, lab-public-subnet-2</td> </tr> <tr> <td>Public IP</td> <td>Enabled</td> </tr> </tbody> </table></div> <p>Create a security group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fargate-sg </code></pre> </div> <p>Inbound rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP → Anywhere </code></pre> </div> <blockquote> <p>For demo purposes only. Restrict inbound traffic properly in production environments.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99u8icknk1o7zjflygd7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99u8icknk1o7zjflygd7.png" alt=" " width="799" height="293"></a></p> <h1> Step 10 — Verify the Running Task </h1> <p>Open:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ECS → Clusters → lab-cluster → Services </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh153tc8anh9ggos8z5y6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh153tc8anh9ggos8z5y6.png" alt=" " width="800" height="322"></a></p> <p>If the task stops unexpectedly:</p> <ul> <li>Verify IAM role ARNs</li> <li>Check the ECR image URI</li> <li>Ensure Secrets Manager permissions exist</li> </ul> <h1> Step 11 — Validate Secret Injection in CloudWatch </h1> <p>Navigate to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CloudWatch → Logs → Log Groups → /ecs/secure-fargate-app </code></pre> </div> <p>Open the latest log stream.</p> <p>You should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[OK] Secret successfully injected via Secrets Manager! </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvgdetg0gqtj4vr5l0ft4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvgdetg0gqtj4vr5l0ft4.png" alt=" " width="800" height="253"></a></p> <p>This confirms:</p> <ul> <li>✅ ECS resolved the secret</li> <li>✅ Secrets Manager integration works</li> <li>✅ The container received the environment variable securely</li> </ul> <h1> 🎯 What You Learned </h1> <p>In this project, you successfully:</p> <ul> <li>Built a Docker image</li> <li>Stored it in Amazon ECR</li> <li>Deployed it to ECS Fargate</li> <li>Applied least-privilege IAM roles</li> <li>Injected secrets securely</li> <li>Verified runtime logs in CloudWatch</li> </ul> <p>This workflow reflects real-world AWS container deployment patterns used in production environments.</p> <p><a href="https://www.pluralsight.com/labs/aws/secure-container-deployment-on-ecs-fargate" rel="noopener noreferrer">https://www.pluralsight.com/labs/aws/secure-container-deployment-on-ecs-fargate</a><br> <a href="https://github.com/pluralsight-cloud/Lab-Secure-Container-Deployment-on-ECS-Fargate" rel="noopener noreferrer">https://github.com/pluralsight-cloud/Lab-Secure-Container-Deployment-on-ECS-Fargate</a></p> security aws ecs fargate