ECR policy allows public access Affecting ECR service in AWS

Snyk CCSS

Containers/ Access

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-ControlsCSA-CCMPCI-DSSSOC-2

Snyk IDSNYK-CC-00336
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

The ECR policy allows access to any account.

How to fix?

Set statement.principal attribute of policy document to specific accounts only e.g. arn:aws:iam::account-id:root.

resource "aws_ecr_repository" "foo" {
  name = "bar"
}

resource "aws_ecr_repository_policy" "allowed" {
  repository = aws_ecr_repository.foo.name

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "new policy",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::111122223333:root" 
            },
            "Action": [
                "ecr:ListImages"
            ]
        }
    ]
}
EOF
}

Set Statement.Principal attribute of policy document to specific accounts only e.g. arn:aws:iam::account-id:root.

Example Configuration

Type: AWS::ECR::Repository
Properties:
 RepositoryPolicyText: {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "new policy",
       "Effect": "Allow",
       "Principal": {
         "AWS": "arn:aws:iam::<account-id>:root"
       },
       "Action": [
           "ecr:DeleteRepositoryPolicy"
       ]
     }
   ]
 }
 # other required properties

Terraform

aws_ecr_repository_policy

References

Private repository policies