Ensure that your AWS Elastic Container Registry (ECR) repositories are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities. Prior to running this rule by the Cloud Conformity engine, you need to configure the ID of each trusted AWS account that can access your ECR image repositories within the rule settings available on the Cloud Conformity console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing untrustworthy cross account access to your Amazon ECR repositories increases the risk of data breaches and data loss. To prevent data leaks, data loss and avoid unexpected costs on your AWS bill, limit access only to trusted entities by implementing the necessary access policies, as these resource-based policies let you specify who has access to your ECR repositories and what actions they can perform on them.
Audit
To determine if there are any AWS ECR image repositories that allow unknown cross account access, perform the following:
Remediation / Resolution
To update the resource-based policies associated with your Amazon ECR repositories in order to allow cross account access only from trusted AWS entities, perform the following actions:
References
- AWS Documentation
- Amazon Elastic Container Service FAQs
- Amazon Elastic Container Registry pricing
- Amazon ECR Repositories
- Amazon ECR Repository Policies
- Setting a Repository Policy Statement
- Amazon ECR Repository Policy Examples
- AWS Policy Generator
- AWS Command Line Interface (CLI) Documentation
- ecr
- describe-repositories
- get-repository-policy
- set-repository-policy