Detections
Analytics

Ensure permissions are tightly controlled for Amazon Elastic Container Registry (Amazon ECR)

HIGH

Description

Amazon Elastic Container Registry (ECR) is a managed container registry service that simplifies the storage, management, and deployment of Docker container images. However, allowing any user or role to perform any action on an ECR repository without restrictions is a significant security risk. When the policy's 'Effect' is set to 'allow' and 'Action' is set to '*', it grants unrestricted access to valuable data and applications, increasing the risk of unauthorized access, data breaches, and malicious activity. This can have severe consequences on the infrastructure, such as data loss and service disruptions Therefore, it's critical to define proper 'Action' parameters in ECR repository policies to establish robust access controls that ensure the security of container images.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and navigate to the Amazon ECR console.
  2. Select the image repository that you want to configure from the list of repositories.
  3. Click on the Permissions tab to view the repository's permissions.
  4. Locate the policy statement that has the 'Effect' set to 'Allow' and 'Action' set to '*'.
  5. Click on the policy statement to select it, and then click on the Edit button.
  6. Make the necessary changes to the policy statement. You can change the 'Effect' to 'Deny' or specify a more specific set of actions to allow.
  7. Once you have made the necessary changes, click on the Save button to update the policy statement.

In Terraform -

  1. In the aws_ecr_repository_policy resource, set the policy accordingly.
  2. Update the policy statement to reflect the necessary changes. You can change the 'Effect' to 'Deny' or specify a more specific set of actions to allow.
  3. Save the Terraform configuration file and apply the changes to update the repository's policy.
    To learn more about how to write an IAM policy, see the AWS documentation.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy

Policy Details

Rule Reference ID: AC_AWS_0085
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_ecr_repository_policy
Resource Category: Compute
Resource Type: Elastic Container Registry (ECR)

Frameworks