Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00764
- credit Snyk Research Team
Description
Granting broad permissions in the ECR repository policy can lead to unauthorized access and potential data breaches. Policies that are too permissive may allow users to perform any action on the ECR repository, increasing the risk of accidental or malicious alterations, deletions, or exposure of sensitive container images. It is essential to adhere to the principle of least privilege by restricting actions to the minimum required for specific roles or services.
How to fix?
Set the policy.Statement.Action attribute in aws_ecr_repository_policy resource to a value other than ecr:*.
Example Configuration
resource "aws_ecr_repository" "allowed1" {
name = "allowed_764"
}
resource "aws_ecr_repository_policy" "allowed1_policy" {
repository = aws_ecr_repository.allowed1.name
policy = jsonencode(
{
Version = "2012-10-17",
Statement = [
{
Principal = {
"AWS" : ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
Effect = "Allow",
Action = [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:InitiateLayerUpload",
"ecr:ListImages"
],
},
]
}
)
}