But then they are exposed to all apps with the Fargate execution space. Security now has to move away from the OS container and towards the app itself.
What do you mean by "exposed to all apps with the Fargate execution space?" Each application has its own image, with its own run script (bash). The run script makes the request to AWS SSM and sets the environment variables before it starts the application. The secrets are only available in the container OS. The app can only read them.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.