Ensure public repositories are disabled for Amazon Elastic Container Registry (Amazon ECR)

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In AWS Console -

Sign in to the AWS Console and go to the Amazon ECR console.
Select Repositories.
Click the image repository that you want to configure. Select Permissions.
In the Permission statements, select the policy statement.
Click Edit and make the necessary changes.

In Terraform -

In the aws_ecr_repository_policy resource, set the policy accordingly.
To learn more about how to write an IAM policy, see the AWS documentation.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy

Policy Details

Rule Reference ID: AC_AWS_0084

CSP: AWS

Remediation Available: Yes

Domain: Identity and Access Management

Resource: aws_ecr_repository_policy

Resource Category: Compute

Resource Type: Elastic Container Registry (ECR)

Frameworks

GDPR
NIST-800-171
NIST-800-53
HIPAA

Detections

Analytics