AWS ECR Exposed to Public
Description:
Amazon Elastic Container Registry (ECR) is a fully managed container registry service that allows users to store, manage, and deploy Docker container images. When an ECR repository is exposed to the public, unauthorized entities can pull or, in some cases, push container images. This can lead to potential data breaches, unauthorized distribution of software, and exposure of proprietary technologies or vulnerabilities.
Remediation:
1. Restrict Public Access to Amazon ECR:
AWS Management Console:
- Navigate to the Amazon ECR service in the AWS Console.
- Choose the ECR repository you want to check.
- Go to the Permissions tab.
- Review the repository policies. Look for permissions granted to
"*"
or any broad permissions. - Remove or modify any statements that allow public access. Ensure that permissions are granted only to specific IAM entities or roles that require access.
AWS CLI:
To retrieve the repository policy of an ECR repository:
aws ecr get-repository-policy --repository-name YOUR_ECR_REPOSITORY_NAME
Review the returned policy. If it contains overly permissive statements, you can modify the policy and then set it with:
aws ecr set-repository-policy --repository-name YOUR_ECR_REPOSITORY_NAME --policy-text file://path_to_modified_policy.json
Replace path_to_modified_policy.json
with the path to your updated policy file.
Terraform:
If you're using Terraform to manage your AWS resources, review your ECR repository configurations:
resource "aws_ecr_repository" "example" {
# ... other ECR configurations ...
# Ensure there's no overly permissive policy
policy = file("path_to_policy.json")
}
Check the referenced policy file (path_to_policy.json
) and ensure it doesn't grant permissions to "*"
or any overly broad permissions.
Recommendation:
Always keep ECR repositories private unless there's a legitimate business reason to make them public. If public access is required, be very intentional about the permissions you grant and to whom. Regularly audit ECR repository policies and adjust them as necessary to match current requirements. Implement monitoring mechanisms, such as AWS CloudTrail, to track access and modifications to your repositories.
Updated about 1 year ago