ECR repository policy allows broad permissions Affecting ECR service in AWS

Severity Framework Snyk CCSS

Rule category IAM / Policy

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00764
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Granting broad permissions in the ECR repository policy can lead to unauthorized access and potential data breaches. Policies that are too permissive may allow users to perform any action on the ECR repository, increasing the risk of accidental or malicious alterations, deletions, or exposure of sensitive container images. It is essential to adhere to the principle of least privilege by restricting actions to the minimum required for specific roles or services.

How to fix?

Set the policy.Statement.Action attribute in aws_ecr_repository_policy resource to a value other than ecr:*.

Example Configuration


resource "aws_ecr_repository" "allowed1" {
  name = "allowed_764"
}

resource "aws_ecr_repository_policy" "allowed1_policy" {
  repository = aws_ecr_repository.allowed1.name
  policy = jsonencode(
    {
      Version = "2012-10-17",
      Statement = [
        {
          Principal = {
            "AWS" : ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
          }
          Effect = "Allow",
          Action = [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:InitiateLayerUpload",
            "ecr:ListImages"
          ],
        },
      ]
    }
  )
}

Terraform

aws_ecr_repository_policy