AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
ECR Repositories Should Be Private
More Info:
ECR repository policies should not enable global or public access to images. ECR repository policies should limit access to images to known IAM entities and AWS accounts and avoid the use of account-level wildcards.
Risk Level
High
Address
Security
Compliance Standards
HIPAA, PCIDSS, SOC2, AWSWAF, HITRUST, NISTCSF
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration of ECR repositories not being private in AWS:
- Login to your AWS console.
- Navigate to the Amazon Elastic Container Registry (ECR) service.
- Select the repository that you want to make private.
- Click on the “Permissions” tab.
- Under the “Repository policy” section, click on the “Edit” button.
- In the JSON editor, replace the existing policy with the following policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AccessDenied",
"Effect": "Deny",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
},
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_ID:root"
},
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
Note: Replace “AWS_ACCOUNT_ID” with your AWS account ID.
- Click on the “Save” button to save the policy.
- Verify that the repository is now private by checking the “Repository visibility” under the “Overview” tab.
That’s it! You have successfully remediated the misconfiguration of ECR repositories not being private in AWS.
To remediate the misconfiguration of ECR repositories being public, you can follow the below steps using AWS CLI:
-
Open the AWS CLI and run the following command to list all ECR repositories in your account:
aws ecr describe-repositories -
For each repository that is public, run the following command to modify its permissions:
aws ecr set-repository-policy --repository-name <repository-name> --policy-text '{"Version": "2008-10-17", "Statement": [{"Sid": "DenyPublicPull", "Effect": "Deny", "Principal": "*", "Action": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken", "ecr:DescribeRepositories", "ecr:ListImages"], "Condition": {"Bool": {"aws:SecureTransport": "false"}}}]}'Replace
<repository-name>with the name of the repository that you want to make private. -
Verify that the repository is now private by running the following command:
aws ecr describe-repositories --repository-names <repository-name>The output should include
"repositoryPolicyText": "{\"Version\": \"2008-10-17\", \"Statement\": [{\"Sid\": \"DenyPublicPull\", \"Effect\": \"Deny\", \"Principal\": \"*\", \"Action\": [\"ecr:BatchGetImage\", \"ecr:GetDownloadUrlForLayer\", \"ecr:GetAuthorizationToken\", \"ecr:DescribeRepositories\", \"ecr:ListImages\"], \"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}}]}" -
Repeat the above steps for all ECR repositories that are public in your account.
By following these steps, you can remediate the misconfiguration of ECR repositories being public and make them private.
To remediate the misconfiguration “ECR Repositories Should Be Private” for AWS using python, you can follow these steps:
- Import the necessary AWS SDK and Boto3 library in your python code.
import boto3
- Create a Boto3 ECR client object to interact with ECR.
ecr_client = boto3.client('ecr')
- Get a list of all the ECR repositories in your AWS account using the
describe_repositoriesmethod.
response = ecr_client.describe_repositories()
repositories = response['repositories']
- For each repository, check if it is public or not using the
describe_imagesmethod. If the repository is public, update its permissions to make it private using theset_repository_policymethod.
for repo in repositories:
response = ecr_client.describe_images(repositoryName=repo['repositoryName'])
if 'imageDetails' in response and len(response['imageDetails']) > 0:
image_detail = response['imageDetails'][0]
if 'imageTags' in image_detail and len(image_detail['imageTags']) > 0:
image_tag = image_detail['imageTags'][0]
policy_text = '{"Version": "2008-10-17","Statement": [{"Sid": "AllowPushPull","Effect": "Allow","Principal": {"AWS": "*"},"Action": ["ecr:GetDownloadUrlForLayer","ecr:BatchGetImage","ecr:BatchCheckLayerAvailability","ecr:PutImage","ecr:InitiateLayerUpload","ecr:UploadLayerPart","ecr:CompleteLayerUpload"]},{"Sid": "DenyAll","Effect": "Deny","Principal": {"AWS": "*"},"Action": "ecr:*"}]}'
ecr_client.set_repository_policy(repositoryName=repo['repositoryName'], policyText=policy_text)
- Once the permissions have been updated, print a message to confirm that the repositories have been made private.
print("All ECR repositories have been made private.")
This code will remediate the misconfiguration “ECR Repositories Should Be Private” for AWS using python.