mTLS on ECS: the sidecar pattern and the secret distribution problem
PCI-DSS requires encrypting east-west traffic inside your CDE (Cardholder Data Environment), not just traffic at the load balancer. Here is how to run NGINX or HAProxy as a mTLS sidecar on ECS Fargate and get certificates into the container without storing secrets in plaintext.