What is the recommended way to pass sensitive environment variables, e.g. passwords, to Amazon ECS tasks? With Docker Compose, I can use key-only environment variables, which results in the values being read from the OS environment. I can't see any corresponding method for ECS task definitions however.
In the task definition link you posted there is an "environment" section that allows you to do this. They become environment variables inside the container.
If you mean you would like to keep information outside of the task definition and that task could reference it, you cannot. Your best bet in that case is to have your container pull that information from an outside source and not have the ECS task config try to reference it.
Edit: Im getting downvoted at this point because the parameter store is now the right way to do it. At the time this answer was the most correct way, but the other solutions using SSM are the right way now.