Amazon Elastic Container Registry (Amazon ECR)
  1. CNS Policies
  2. AWS Knowledge Base
  3. Amazon Elastic Container Registry (Amazon ECR)

AWS ECR Repository Policy - ECR Check Global Principal

This plugin guarantees that ECR repository policies do not allow access to images globally or publicly

Risk Level: High

Description: 

This plugin guarantees that ECR repository policies do not allow access to images globally or publicly. Access to the images of recognized IAM entities and AWS accounts should be restricted and wildcards should be avoided by ECR repository policies.

PingSafe strongly recommends updating the repository policy to limit access to known IAM entities.

About the Service :

Amazon's ECR private registries provide highly accessible and scalable container images. You may use your own private registry to manage private image repositories made out of images and artifacts from the Docker and Open Container Initiative (OCI). A default Amazon ECR registry is given for each AWS account.

Impact : 

Amazon Elastic Container Registry utilizes access control policies based on resources. These kinds of authorization policies allow you to determine who has access and activities on your ECR repositories. The public access of your image repositories using Amazon ECR might lead to data leakage and/or data loss through resource-based rules.

Steps to reproduce :

  1. Log in to AWS Console.
  2. Navigate to ECS dashboard. (https://us-east-2.console.aws.amazon.com/ecs/ )
  3. Click on “Repositories” in the left navigation panel under Amazon ECR.
  4. Select the image repository that you want to examine.
  5. Click on the Permissions tab from the top panel to access the resource-based permissions set for the selected resource.
  6. Check the Effect and the Principal elements values in the Policy document box. If the Effect element is set to "Allow" and the Principal is set to "*", the selected AWS Elastic Container Registry (ECR) image repository is exposed to everyone.
  7. Repeat the steps for the rest of the Amazon ECR repositories available within the current region.

Steps for remediation :

  1. Log in to AWS Console.
  2. Navigate to the ECS dashboard. (https://us-east-2.console.aws.amazon.com/ecs/ )
  3. Click on “Repositories” in the left navigation panel under Amazon ECR.
  4. Select the image repository that you want to examine.
  5. Click on the Permissions tab to access the permission policy defined for the selected repository and then select the policy statement that has Effect set to "Allow" and Principal set to "*".
  6. Choose the actions that the principal is allowed to perform in the Actions section. At last click on Save Changes to apply the policy changes.
  7. Repeat the steps for each Amazon ECR image repository that you want to reconfigure, available in the current region.

References: