I'm setting up a task definition for an ECS task. One of the environment variables on a container in the task is a set of credentials that is currently stored in the Parameter Store as a SecureString. I'm wondering what's the rationale to not just store it directly as an env variable in the task's container?
The only added security that storing it in the Parameter Store seems to bring is that AWS users and resources can be segmented to not have direct access to it, but is there any other reason?
Parameter Store and/or Secrets Manager would act as your single source of truth for all services that need access to your secret values. It gives you a single location you need to update when those secret values change. It stores the values securely using KMS encryption, and it provides access control via IAM to your individual secret values.
If you embed your secrets directly in your ECS task definitions, none of the above would be true.