Description:
Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.
Rationale:
A public repository is open to publicly pull images from and is visible on the Amazon ECR Public Gallery. When creating a public repository you specify catalog data which helps users find and use your images. This could make the custom definitions visible too.
Impact:
Ensuring only private ECR Repositories in the environment is a safe practice since it comes with additional features such as tag immutability, Scan on push, KMS Encryption, etc., to choose from.
Default Value:
There is NO default value assigned by AWS for ECR Repositories.
When creating a repository the user has to specify the visibility settings to be PUBLIC or PRIVATE.
Pre-Requisite:
Existing repositories on ECR
IAM users require permissions to make calls to the Amazon ECR APIs and to push or pull images to and from your repositories.
Remediation:
Test plan:
Navigate to the ECS dashboard at https://console.aws.amazon.com/ecs/
Select Repositories under Amazon ECR on the left
On the top, look for PUBLIC which contains the public ECR Repositories.
If you don’t see any repositories in the PUBLIC section on top it means that there are no public ECR Repositories
Implementation:
Navigate to the ECR dashboard at https://console.aws.amazon.com/ecr/
Select Repositories under Amazon ECR on the left
Select Public on the top to view ECR Repositories that are set to public
In the navigation pane, choose Permissions.
On the Edit permissions page, choose to Add statement.
For Statement name, enter a name for the statement
For Effect, choose whether the policy statement will result in an allow or an explicit denial.
For the Principal, choose the scope to apply the policy statement to.
You can apply the statement to all authenticated AWS users by selecting the Everyone (*) check box.
For Service principal, specify the service principal name to apply the statement to a specific service.
For AWS Account IDs, specify an AWS account number to apply the statement to all users under a specific AWS account. Multiple accounts can be specified by using a comma delimited list.
we can change access permission in Edit policy JSON as shown below.
Using AWS CLI:
To set the repository policy
aws ecr set-repository-policy \
--repository-name cluster-autoscaler \
--policy-text file://my-policy.jsonBackout Plan:
If you no longer want an existing repository policy statement to apply to a repository, you can delete it.
To delete a repository policy statement
Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
From the navigation bar, choose the Region that contains the repository to delete a policy statement from.
In the navigation pane, choose Repositories.
On the Repositories page, select the Public tab and then choose the repository to delete a policy statement from.
In the navigation pane, choose Permissions, Edit.
On the Edit permissions page, choose Delete.
Note:
By default, your account has read and write access to the repositories in your default registry (
aws_account_id.dkr.ecr.region.amazonaws.com).The public repositories you create that contain images appear publicly on the Amazon ECR Public Gallery. Visit the Amazon ECR Public Gallery at https://gallery.ecr.aws.
Repositories can be controlled with both IAM user access policies and individual repository policies.
Private Repository names can support namespaces, which you can use to group similar repositories.
Reference:
Amazon ECR public repositories - Amazon ECR Public
