Open menu

AWS ECR Unknown Cross Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your AWS Elastic Container Registry (ECR) repositories are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities. Prior to running this rule by the Cloud Conformity engine, you need to configure the ID of each trusted AWS account that can access your ECR image repositories within the rule settings available on the Cloud Conformity console.

Allowing untrustworthy cross account access to your Amazon ECR repositories increases the risk of data breaches and data loss. To prevent data leaks, data loss and avoid unexpected costs on your AWS bill, limit access only to trusted entities by implementing the necessary access policies, as these resource-based policies let you specify who has access to your ECR repositories and what actions they can perform on them.

Audit

To determine if there are any AWS ECR image repositories that allow unknown cross account access, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to ECS/ECR dashboard at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECR, choose Repositories to view the existing repositories.

04 Select the image repository that you want to examine by clicking on its name, available in the Repository name column.

05 Select the Permissions tab from the top panel to access the permissions set for the selected repository.

06 Inside Policy document text box, within the policy document, check the Principal element value to identify the AWS account ID (e.g. 123456789000), included in the entity ARN.

07 Sign in to your Cloud Conformity console, access AWS ECR Unknown Cross Account Access conformity rule settings and compare the AWS account ID found at the previous step against each ID listed within the rule configuration section. If the identity (account) ID found does not match any of the trusted entities IDs listed on your Cloud Conformity dashboard, the cross account access to the selected AWS Elastic Container Registry (ECR) image repository is not secured.

08 Repeat steps no. 4 – 6 for each Amazon ECR repository available in the selected region.

09 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-repositories command (OSX/Linux/UNIX) to list the names of all Amazon ECR repositories created in the selected AWS region:

aws ecr describe-repositories
	--region us-east-1
	--output table
	--query "repositories[*].repositoryName"

02 The command output should return a table with the requested identities (names):

------------------------
| DescribeRepositories |
+----------------------+
|  cc-production-repo  |
|  cc-ecr-repository   |
+----------------------+

03 Run get-repository-policy command (OSX/Linux/UNIX) using the name of the image repository that you want to examine as identifier and custom query filters to describe the access policy associated with the selected repository:

aws ecr get-repository-policy
	--region us-east-1
	--repository-name cc-production-repo
	--query "policyText"

04 The command output should return the requested access policy document:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "cross-account-access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789000:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:DeleteLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:StartLifecyclePolicyPreview"
            ]
        }
    ]
}

Check the Principal element value to identify the AWS account ID included in the AWS entity Amazon Resource Name (ARN).

05 Sign in to your Cloud Conformity console, access AWS ECR Unknown Cross Account Access conformity rule settings and compare the AWS account ID found at the previous step against each ID listed in the rule configuration. If the account ID defined within the policy does not match any of the trusted entities IDs listed on your Cloud Conformity console, the cross account access to the selected Amazon Elastic Container Registry (ECR) image repository is not secured.

06 Repeat steps no. 3 – 5 for other Amazon ECR repositories available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To update the resource-based policies associated with your Amazon ECR repositories in order to allow cross account access only from trusted AWS entities, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to ECS/ECR dashboard at https://console.aws.amazon.com/ecs/.

03 In the left navigation panel, under Amazon ECR, choose Repositories.

04 Select the image repository that you want to reconfigure (see Audit section part I to identify the right ECR resource) by clicking on its name (link).

05 Select the Permissions tab from the top panel to access the permission policy configured for the selected repository.

06 Under Permission statements, select the policy statement that you want to update, click on the Edit button to enter the edit mode, then perform the following:

  1. For Effect, select Allow to explicitly grant permission to the specified entity (principal).
  2. In the Principal section, replace the AWS account ID available within the Principal box with the account ID of the trusted AWS entity, defined in the conformity rule settings. Repeat this step for each unknown AWS entity that you want to replace, in order to implement secure and trustworthy cross account access.
  3. In the Actions section, choose the actions that the principal is allowed to perform for the selected ECR image repository.
  4. Click Save all to apply the policy changes. Once the changes are saved, the console should display the following confirmation message: "Successfully updated repository policy".

07 Repeat step no. 4 – 6 for each Amazon ECR repository that you want to reconfigure, available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for the other regions.

Using AWS CLI

01 First, define the required access policy for the selected Amazon ECR repository and save it in a JSON file named cross-account-access-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your own custom policy. The following example describes an access policy document that allows a trusted AWS account, identified by the ARN "arn:aws:iam::123456789012:root", to perform different actions on the selected Elastic Container Registry (ECR) repository:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "cross-account-access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:DeleteLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:StartLifecyclePolicyPreview"
            ]
        }
    ]
}

02 Run set-repository-policy command (OSX/Linux/UNIX) to replace the cross account access policy associated with the selected Amazon ECR image repository (see Audit section part II to identify the right ECR resource), with the one defined at the previous step:

aws ecr set-repository-policy
	--region us-east-1
	--repository-name cc-production-repo
	--policy-text file://cross-account-access-policy.json

03 The command output should return the command request metadata:

{
    "policyText": "{\n  \"Version\" : \"2008-10-17\",\n  \"Statement\" : [ {\n    \"Sid\" : \"cross-account-access\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"arn:aws:iam::123456789012:root\"\n    },\n    \"Action\" : [ \"ecr:GetDownloadUrlForLayer\", \"ecr:BatchGetImage\", \"ecr:BatchCheckLayerAvailability\", \"ecr:PutImage\", \"ecr:InitiateLayerUpload\", \"ecr:UploadLayerPart\", \"ecr:CompleteLayerUpload\", \"ecr:DescribeRepositories\", \"ecr:GetRepositoryPolicy\", \"ecr:ListImages\", \"ecr:DescribeImages\", \"ecr:DeleteRepository\", \"ecr:BatchDeleteImage\", \"ecr:SetRepositoryPolicy\", \"ecr:DeleteRepositoryPolicy\", \"ecr:GetLifecyclePolicy\", \"ecr:PutLifecyclePolicy\", \"ecr:DeleteLifecyclePolicy\", \"ecr:GetLifecyclePolicyPreview\", \"ecr:StartLifecyclePolicyPreview\" ]\n  } ]\n}",
    "repositoryName": "cc-production-repo",
    "registryId": "123456789012"
}

04 Repeat step no. 1 – 3 for each Amazon ECR image repository that you want to reconfigure, available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Nov 20, 2018