Skip to content

AWS Private ECR repository policy is overly permissive

Description

AWS ECR is a managed Docker registry service that simplifies Docker container image management. The ECR repository is a collection of Docker images available on AWS. Access control to ECR repositories is governed using resource-based policies. A public ECR repository can expose internal Docker images that contain confidential business logic.

We recommend you do not allow unrestricted public access to ECR repositories to help avoid data leakage.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon ECS console.
  3. Select Amazon ECR , then select Repositories.
  4. Click the image repository that you want to configure. To modify the permission policy, select Permissions.
  5. In the Permission statements, select the policy statement that has Effect set to Allow and Principal set to *.
  6. To select a restricted access policy, click Edit and make changes.

Fix - Buildtime

CloudFormation

Resource: AWS::ECR::Repository
Argument: Properties.RepositoryPolicyText.Statement.Principal

Resources: 
  MyRepository: 
    Type: AWS::ECR::Repository
    Properties: 
      ...
      RepositoryPolicyText: 
        ...
        Statement: 
          - ...
-           Principal: "*"
+                       Principal:
+             AWS: 
+                - "arn:aws:iam::123456789012:user/Bob"
+                - ...