Ensure IAM policy is attached to Amazon Elastic Container Registry (Amazon ECR) repository

MEDIUM

Description

Identity and Access Management (IAM) policies can be configured to allow access to the entire ECR service. This differs from specific repository policies and is often used to restrict access for the ECR service as a whole rather than individual services within the repository. For more information, see the AWS ECR documentation.
References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html

Remediation

To create IAM policies and attach them to the ECR resource, follow the direction in the user guide (below).

In Terraform -

Configure an aws_ecr_repository_policy resource with the repository field set as the name of the repository.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy

Policy Details

Rule Reference ID: AC_AWS_0466

CSP: AWS

Remediation Available: Yes

Domain: Identity and Access Management

Resource: aws_ecr_repository

Resource Category: Compute

Resource Type: Elastic Container Registry (ECR)

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF