ECR repository policy allows broad permissions Affecting ECR service in AWS


Severity

0.0
high
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    IAM / Policy

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00764
  • credit Snyk Research Team

Description

Granting broad permissions in the ECR repository policy can lead to unauthorized access and potential data breaches. Policies that are too permissive may allow users to perform any action on the ECR repository, increasing the risk of accidental or malicious alterations, deletions, or exposure of sensitive container images. It is essential to adhere to the principle of least privilege by restricting actions to the minimum required for specific roles or services.

How to fix?

Set the policy.Statement.Action attribute in aws_ecr_repository_policy resource to a value other than ecr:*.

Example Configuration


resource "aws_ecr_repository" "allowed1" {
  name = "allowed_764"
}

resource "aws_ecr_repository_policy" "allowed1_policy" {
  repository = aws_ecr_repository.allowed1.name
  policy = jsonencode(
    {
      Version = "2012-10-17",
      Statement = [
        {
          Principal = {
            "AWS" : ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
          }
          Effect = "Allow",
          Action = [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:InitiateLayerUpload",
            "ecr:ListImages"
          ],
        },
      ]
    }
  )
}