AWS-ECR-ECR-Repository-Policy

Severity : Critical

Description: This control ensures that ECR repository access policy have specific role or user name as principal and does not uses wildcard (*) character. AWS ECR service provides repository for the container images. Only specific users should have write access to the repository and images. Wildcard access to repository may allow unintended and malicious access to the repository and container images. As per security guidelines its suggested that the ECR policy should have specific role or IAM users to access the ECR.

Remediation Steps:

Perform following to to update the ECR Policy :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. From service menu, Open the Amazon ECR console.

3. In the navigation pane, choose Repositories.

4. On the Repositories page, choose the repository to view the contents of the repository.

5. From the repository image list view, choose Permissions, Edit.

6. On the Edit permissions page, for Principal, choose the role OR IAM user to apply the policy statement to.

7. Choose Save to set the policy.

Important:

• The account granting permissions to must have the Region it is creating the repository policy in enabled, otherwise an error will occur.

Reference:

• https://docs.aws.amazon.com/AmazonECR/latest/userguide/set-repository-policy.html