Description

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow. 


Rationale:  

Need to Identify any exposed ECR repositories in the environment and make sure repositories access is not set to public.Amazon ECR currently supports private images. However, using IAM resource-based permissions, you can configure policies for each repository to allow access to IAM users, roles, or other AWS accounts. 


Remediation: 

To make the ECR repositories private, remove the all group from its launch permissions. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command.

  • aws ecr get-repository-policy [--registry-id <value>] --repository-name <value> [--cli-input-json <value>]

    [--generate-cli-skeleton <value>]


Reference: