No Public Access | Vulnerability Database

ECR repository policy must block public access

Allowing public access to the ECR repository risks leaking sensitive of abusable information

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Do not allow public access in the policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


Resources:
  GoodExample:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: test-repository
      RepositoryPolicyText:
        Statement:
          - Action:
              - ecr:PutImage
            Effect: Allow
            Principal:
              AWS:
                - arn:aws:iam::123456789012:user/Alice
            Sid: AllowPushPull
        Version: "2012-10-17"

Do not allow public access in the policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


resource "aws_ecr_repository" "example" {
  name = "bar"
}

resource "aws_ecr_repository_policy" "example" {
  repository = aws_ecr_repository.example.name
  policy     = <<EOF
 {
     "Version": "2008-10-17",
     "Statement": [
         {
             "Sid": "new policy",
             "Effect": "Allow",
             "Principal": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
             "Action": [
                 "ecr:SetRepositoryPolicy"
             ]
         }
     ]
 }
 EOF
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy#policy