ECR policy allows public access Affecting ECR service in AWS


Severity

0.0
high
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Containers / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CSA-CCM PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00336
  • credit Snyk Research Team

Description

The ECR policy allows access to any account.

How to fix?

Set statement.principal attribute of policy document to specific accounts only e.g. arn:aws:iam::account-id:root.

resource "aws_ecr_repository" "foo" {
  name = "bar"
}

resource "aws_ecr_repository_policy" "allowed" {
  repository = aws_ecr_repository.foo.name

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "new policy",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::111122223333:root" 
            },
            "Action": [
                "ecr:ListImages"
            ]
        }
    ]
}
EOF
}