Ensure AWS ECR repository is not exposed to public
Error: AWS Private ECR repository policy is overly permissive
Bridgecrew Policy ID: BC_AWS_PUBLIC_1
Checkov Check ID: CKV_AWS_32
AWS Private ECR repository policy is overly permissive
AWS ECR is a managed Docker registry service that simplifies Docker container image management. The ECR repository is a collection of Docker images available on AWS. Access control to ECR repositories is governed using resource-based policies. A public ECR repository can expose internal Docker images that contain confidential business logic.
We recommend you do not allow unrestricted public access to ECR repositories to help avoid data leakage.
Fix - Runtime
To change the policy using the AWS Console, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon ECS console.
- Select Amazon ECR , then select Repositories.
- Click the image repository that you want to configure. To modify the permission policy, select Permissions.
- In the Permission statements, select the policy statement that has Effect set to Allow and Principal set to *.
- To select a restricted access policy, click Edit and make changes.
Fix - Buildtime
Resources: MyRepository: Type: AWS::ECR::Repository Properties: ... RepositoryPolicyText: ... Statement: - ... - Principal: "*" + Principal: + AWS: + - "arn:aws:iam::123456789012:user/Bob" + - ...
Updated 6 months ago