Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition.

Protect the Amazon ECR image repositories available within your AWS account from any unauthorized access. Amazon Elastic Container Registry uses resource-based policies to control access. These types of permission policies let you specify who has access to your ECR repositories and what actions they can perform on them. Allowing public access to your Amazon ECR image repositories through resource-based policies can lead to data leakage and/or data loss.

Risk Level: Medium
Cloud Entity: AWS EcrRepository
CloudGuard Rule ID: D9.AWS.IAM.103
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition]

REMEDIATION

From Portal

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region that contains the repository to set a policy statement on.
  3. In the navigation pane, choose Repositories.
  4. On the Repositories page, choose the repository to set a policy statement on to view the contents of the repository.
  5. From the repository image list view, in the navigation pane, choose Permissions, Edit.
  6. Under Permission statements, select the policy statement that has Effect set to "Allow" and Principal set to "*", click on the Edit button to enter the edit mode.
  7. In the edit mode, explicitly grant permission to a specified entity (principal) when the effect is 'Allow'.
  8. Within Principal section, uncheck Everybody (*) checkbox and enter the AWS account ID or AWS service name in the Principal box, or select the IAM entity (user, group, role) allowed to access the selected ECR repository from All IAM entities table, based on your requirements.
  9. Save.

From TF
Use the resource "aws_ecr_repository_policy" to create policy. When the effect is 'Allow' Make sure that you don't have Principal='' or 'AWS:' in your policy document.

resource "aws_ecr_repository_policy" "testpolicy" {
	repository = example-repository
	
	policy =
	{
		...
		"Effect": "Allow",
		"Principal": {
			"AWS": [
			"arn:aws:iam::account-id:user/user-1",
			]
		}
		...
	}

From Command Line
Use the following command to set repository policy. when the effect is 'Allow' Make sure that you don't have Principal='' or 'AWS:' in your policy policy.document.Statement

aws ecr set-repository-policy --repository-name example-repository --policy-text file://my-policy.json

References

  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/set-repository-policy.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/set-repository-policy.html#
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy

AWS EcrRepository

Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset