Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon Elastic Container Registry uses resource-based policies to control access. These types of permission policies let you specify who has access to your ECR repositories and what actions they can perform on them. Allowing public access to your Amazon ECR image repositories through resource-based policies can lead to data leakage and/or data loss.
Audit
To determine if there are any exposed ECR repositories available in your AWS account, perform the following actions:
Remediation / Resolution
To update the resource-based policies associated with your Amazon ECR repositories in order to allow requests only from trusted entities, perform the following actions:
References
- AWS Documentation
- Amazon Elastic Container Service FAQs
- What Is Amazon Elastic Container Registry?
- Amazon ECR Repositories
- Amazon ECR Repository Policies
- Setting a Repository Policy Statement
- Amazon ECR Repository Policy Examples
- AWS Policy Generator
- AWS Command Line Interface (CLI) Documentation
- ecr
- describe-repositories
- get-repository-policy
- set-repository-policy