Ensure that your AWS Elastic Container Registry (ECR) repositories are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities. Prior to running this rule by the Cloud Conformity engine, you need to configure the ID of each trusted AWS account that can access your ECR image repositories within the rule settings available on the Cloud Conformity console.
Allowing untrustworthy cross account access to your Amazon ECR repositories increases the risk of data breaches and data loss. To prevent data leaks, data loss and avoid unexpected costs on your AWS bill, limit access only to trusted entities by implementing the necessary access policies, as these resource-based policies let you specify who has access to your ECR repositories and what actions they can perform on them.
To determine if there are any AWS ECR image repositories that allow unknown cross account access, perform the following:
To update the resource-based policies associated with your Amazon ECR repositories in order to allow cross account access only from trusted AWS entities, perform the following actions: