Merge pull request #52 from InbarRose/main

add AWS_ACCESS_KEY_ID to env var checking

Author: adamjkeller

README.md

@@ -126,7 +126,7 @@ The `check-ecs-exec.sh` found one or more VPC endpoints configured in the VPC fo
 The `check-ecs-exec.sh` doesn't support checking this item for shared VPC subnets using [AWS Resouce Access Manager (AWS RAM)](https://aws.amazon.com/ram/). In short, this may not an issue to use ECS Exec if your ECS task VPC doesn't have any VPC endpoint and the task has proper outbound internet connectivity. Make sure to consult your administrator with the official ECS Exec documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-considerations) to find if your VPC need to have an additional VPC endpoint.
 
 19. **🟡 Environment Variables : defined**  
-SSM uses the AWS SDK which uses the [default chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) when determining authentication. This means if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in the environment variables and the permissions there do not provide the required permissions for SSM to work, then the execute-command will fail. It is recomended not to define these environment variables. 
+SSM uses the AWS SDK which uses the [default chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) when determining authentication. This means if AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY are defined in the environment variables and the permissions there do not provide the required permissions for SSM to work, then the execute-command will fail. It is recomended not to define these environment variables. 
 
 ## Security
 

check-ecs-exec.sh

@@ -674,8 +674,8 @@ else
   fi
 fi
 
-# 11. Check task definition containers for environment variables AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY
-# if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in a container, they will be used by the SSM service
+# 11. Check task definition containers for environment variables AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY
+# if AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY are defined in a container, they will be used by the SSM service
 # if the key defined does not have requirement permissions, the execute-command will not work.
 containerNameList=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[].name")
 idx=0
@@ -686,15 +686,22 @@ for containerName in $containerNameList; do
   printf "       ${COLOR_DEFAULT}- AWS_ACCESS_KEY"
   AWS_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_ACCESS_KEY\") | .name")
   case "${AWS_ACCESS_KEY_FOUND}" in
-    *AWS_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";;
-    * ) printf ": ${COLOR_GREEN}not defined\n";;
+    *AWS_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
+    * ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
   esac
+  # find AWS_ACCESS_KEY_ID
+  printf "       ${COLOR_DEFAULT}- AWS_ACCESS_KEY_ID"
+  AWS_ACCESS_KEY_ID_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_ACCESS_KEY_ID\") | .name")
+  case "${AWS_ACCESS_KEY_ID_FOUND}" in
+    *AWS_ACCESS_KEY_ID* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
+    * ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
+  esac  
   # find AWS_SECRET_ACCESS_KEY
   printf "       ${COLOR_DEFAULT}- AWS_SECRET_ACCESS_KEY"
   AWS_SECRET_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_SECRET_ACCESS_KEY\") | .name")
   case "${AWS_SECRET_ACCESS_KEY_FOUND}" in
-    *AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";;
-    * ) printf ": ${COLOR_GREEN}not defined\n";;
+    *AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
+    * ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
   esac
   idx=$((idx+1))
 done