Ensure there is no policy with invalid principal key for Amazon Elastic Container Registry (Amazon ECR)

LOW

Description

Setting a Principal in an access policy will effectively grant users, accounts, or services with access to each repository. For more information on how to properly assign a Principal within the ECR policy, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the Amazon ECR console.
  2. Select Repositories.
  3. Click the image repository that you want to configure. Select Permissions.
  4. In the Permission statements, select the policy statement.
  5. Click Edit and make the necessary changes.

In Terraform -

  1. In the aws_ecr_repository_policy resource, set the policy accordingly.
    To learn more about how to write an IAM policy, see the AWS documentation.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy

Policy Details

Rule Reference ID: AC_AWS_0024
CSP: AWS
Remediation Available: Yes
Resource Category: Compute

Frameworks