Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition.

Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion. S3 bucket policy should ensure that principal of least privilege is being followed. A condition statement can be used to control the scope of the policy.

Risk Level: Medium
Cloud Entity: AWS EcrRepository
CloudGuard Rule ID: D9.AWS.IAM.103
Category: Compute

GSL LOGIC

EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition]

REMEDIATION

From Portal

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region that contains the repository to set a policy statement on.
  3. In the navigation pane, choose Repositories.
  4. On the Repositories page, choose the repository to set a policy statement on to view the contents of the repository.
  5. From the repository image list view, in the navigation pane, choose Permissions, Edit.
  6. Under Permission statements, select the policy statement that has Effect set to "Allow" and Principal set to "*", click on the Edit button to enter the edit mode.
  7. In the edit mode, explicitly grant permission to a specified entity (principal) when the effect is 'Allow'.
  8. Within Principal section, uncheck Everybody (*) checkbox and enter the AWS account ID or AWS service name in the Principal box, or select the IAM entity (user, group, role) allowed to access the selected ECR repository from All IAM entities table, based on your requirements.
  9. Save.

From TF
Use the resource "aws_ecr_repository_policy" to create policy. When the effect is 'Allow' Make sure that you don't have Principal='' or 'AWS:' in your policy document.

resource "aws_ecr_repository_policy" "testpolicy" {
	repository = example-repository
	
	policy =
	{
		...
		"Effect": "Allow",
		"Principal": {
			"AWS": [
			"arn:aws:iam::account-id:user/user-1",
			]
		}
		...
	}

From Command Line
Use the following command to set repository policy. when the effect is 'Allow' Make sure that you don't have Principal='' or 'AWS:' in your policy policy.document.Statement

aws ecr set-repository-policy --repository-name example-repository --policy-text file://my-policy.json

References

  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/set-repository-policy.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/set-repository-policy.html#
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy

AWS EcrRepository

Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS Security Risk Management