ECR policy allows public access Affecting ECR service in AWS

Severity Framework Snyk CCSS

Rule category Containers / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM PCI-DSS SOC-2

Snyk ID SNYK-CC-00336
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

The ECR policy allows access to any account.

How to fix?

Set statement.principal attribute of policy document to specific accounts only e.g. arn:aws:iam::account-id:root.

resource "aws_ecr_repository" "foo" {
  name = "bar"
}

resource "aws_ecr_repository_policy" "allowed" {
  repository = aws_ecr_repository.foo.name

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "new policy",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::111122223333:root" 
            },
            "Action": [
                "ecr:ListImages"
            ]
        }
    ]
}
EOF
}

Terraform

aws_ecr_repository_policy

References

Private repository policies