Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ECR Repository Exposed

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ECR-001

Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon Elastic Container Registry uses resource-based policies to control access. These types of permission policies let you specify who has access to your ECR repositories and what actions they can perform on them. Allowing public access to your Amazon ECR image repositories through resource-based policies can lead to data leakage and/or data loss.


Audit

To determine if there are any exposed ECR repositories available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to ECS dashboard at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECR, choose Repositories to view the existing repositories.

04 Select the image repository that you want to examine by clicking on its name (link).

05 Select the Permissions tab from the top panel to access the resource-based permissions set for the selected resource.

06 Inside Policy document box, within resource-based policy document, check the Effect and the Principal elements values. If the Effect element is set to "Allow" and the Principal is set to "*" (i.e. everybody), the selected AWS Elastic Container Registry (ECR) image repository is exposed to everyone.

07 Repeat steps no. 4 – 6 for the rest of the Amazon ECR repositories available within the current region.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-repositories command (OSX/Linux/UNIX) to list the names of all Amazon ECR image repositories created in the selected AWS region:

aws ecr describe-repositories
	--region us-east-1
	--output table
	--query "repositories[*].repositoryName"

02 The command output should return a table with the requested identities:

------------------------
| DescribeRepositories |
+----------------------+
|  cc-ecr-repository   |
|  cc-production-repo  |
+----------------------+

03 Run get-repository-policy command (OSX/Linux/UNIX) using the name of the image repository that you want to examine and custom query filters to describe the resource-based policy associated with the selected repository:

aws ecr get-repository-policy
	--region us-east-1
	--repository-name cc-ecr-repository
	--query "policyText"

04 The command output should return the requested access policy document:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "access-control-policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:SetRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:StartLifecyclePolicyPreview"
            ]
        }
    ]
}

Check the Effect and Principal elements values. If the Effect element is set to "Allow" and the Principal element is set to "*" (i.e. everybody), the selected Amazon Elastic Container Registry (ECR) image repository is exposed to everyone.

05 Repeat step no. 3 and 4 for other AWS ECR repositories available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update the resource-based policies associated with your Amazon ECR repositories in order to allow requests only from trusted entities, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to ECS dashboard at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECR, choose Repositories.

04 Select the image repository that you want to reconfigure (see Audit section part I to identify the right resource) by clicking on its name (link).

05 Select the Permissions tab from the top panel to access the permission policy defined for the selected repository.

06 Under Permission statements, select the policy statement that has Effect set to "Allow" and Principal set to "*", click on the Edit button to enter the edit mode, then perform the following:

  1. For Effect, select Allow to explicitly grant permission to a specified entity (principal).
  2. Within Principal section, uncheck Everybody (*) checkbox and enter the AWS account ID or AWS service name in the Principal box, or select the IAM entity (user, group, role) allowed to access the selected ECR repository from All IAM entities table, based on your requirements.
  3. In the Actions section, choose the actions that the principal is allowed to perform for the selected image repository.
  4. Click Save all to apply the policy changes. Once applied, the console should display the following confirmation message: "Successfully updated repository policy".

07 Repeat step no. 4 – 6 for each Amazon ECR image repository that you want to reconfigure, available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Define the necessary resource-based policy for the selected Amazon ECR repository and save it in a JSON file named ecr-access-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your own custom policy. The following example describes an authorization policy document that allows to an AWS account, identified by the ARN "arn:aws:iam::123456789012:root", to perform actions such as "ListImages" and "DescribeImages" on the selected Elastic Container Registry (ECR) repository:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "access-control-policy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:SetRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:StartLifecyclePolicyPreview"
            ]
        }
    ]
}

02 Run set-repository-policy command (OSX/Linux/UNIX) to update the access policy associated with the selected Amazon ECR image repository (see Audit section part II to identify the right resource), with the one defined at the previous step:

aws ecr set-repository-policy
	--region us-east-1
	--repository-name cc-ecr-repository
	--policy-text file://ecr-access-policy.json

03 The command output should return the command request metadata:

{
    "policyText": "{\n  \"Version\" : \"2008-10-17\",\n  \"Statement\" : [ {\n    \"Sid\" : \"access-control-policy\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"arn:aws:iam::123456789012:root\"\n    },\n    \"Action\" : [ \"ecr:GetDownloadUrlForLayer\", \"ecr:BatchGetImage\", \"ecr:BatchCheckLayerAvailability\", \"ecr:PutImage\", \"ecr:InitiateLayerUpload\", \"ecr:UploadLayerPart\", \"ecr:CompleteLayerUpload\", \"ecr:DescribeRepositories\", \"ecr:GetRepositoryPolicy\", \"ecr:ListImages\", \"ecr:DescribeImages\", \"ecr:SetRepositoryPolicy\", \"ecr:GetLifecyclePolicy\", \"ecr:PutLifecyclePolicy\", \"ecr:GetLifecyclePolicyPreview\", \"ecr:StartLifecyclePolicyPreview\" ]\n  } ]\n}",
    "repositoryName": "cc-ecr-repository",
    "registryId": "123456789012"
}

04 Repeat step no. 1 – 3 for each Amazon ECR image repository that you want to reconfigure, available in the current region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

Publication date Nov 20, 2018