Detections
Analytics

Ensure Full Access (AmazonElasticContainerRegistryPublicFullAccess) is not applied to Amazon Elastic Container Registry (ECR) Public repository

MEDIUM

Description

Policy actions in Amazon Elastic Container Registry (ECR) Public use the following prefix before the action: 'ecr-public:'. Ensure AmazonElasticContainerRegistryPublicFullAccess is not applied. Allowing FullAccess may lead to unauthorized privileged access. You can attach the AmazonElasticContainerRegistryPublicReadOnly policy to your IAM identities.
This policy grants read-only permissions to Amazon ECR Public. These permissions include the ability to describe public registries, to list and describe public repositories, to describe images within a public repository, and to pull images from Amazon ECR Public with the Docker CLI.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the Amazon Elastic Container Registry (ECR) console and click on public.
  2. Select Repositories.
  3. Click the image repository that you want to configure. Select Permissions.
  4. In the Permission statements, select the policy statement.
  5. Click Edit and add AmazonElasticContainerRegistryPublicReadOnly.
    Follow this reference link https://docs.aws.amazon.com/AmazonECR/latest/public/public-security-iam-awsmanpol.html

Policy Details

Rule Reference ID: AC_AWS_0581
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_ecrpublic_repository_policy
Resource Category: Compute
Resource Type: Elastic Container Registry (ECR)

Frameworks