iCompaas Support

Profile Applicability:
 • Level 1

Description:
 Configure the Cluster Service Account with the Storage Object Viewer Role to only allow read-only access to Amazon ECR.

Rationale:
 The Cluster Service Account does not require administrative access to Amazon ECR, it only requires pull access to container images for deployment onto Amazon EKS. Restricting permissions ensures the principle of least privilege is followed and prevents abuse of credentials beyond the required role.

Impact:
 Pros:

• Prevents unnecessary permissions from being granted to the Cluster Service Account.

• Limits the attack surface by ensuring only read-only access to ECR images.

Cons:

• A separate service account may be needed for tasks requiring push or administrative access, increasing management complexity.

Default Value:
By default, users and services with appropriate permissions can have both read and write access to Amazon ECR. This needs to be explicitly configured to read-only access.

Pre-requisites:
The cluster must be configured with IAM roles or policies that grant read-only access to ECR repositories for users or services that do not need write access.

Remediation

Test Plan:

Using AWS Console:

1. Go to IAM in the AWS Console.

2. Review the permissions associated with the service accounts or users in your Kubernetes cluster.

3. Verify that the users or roles interacting with Amazon ECR have only the necessary permissions (e.g., ecr:BatchGetImage, ecr:DescribeRepositories).
   
   

Using AWS CLI:

1. List the IAM policies attached to the service accounts:

   aws iam list-policies --scope Local --query "Policies[?PolicyName=='<policy-name>']"

   


2. Ensure the appropriate read-only permissions are set for accessing ECR repositories.
   
   

Implementation Plan

Using AWS Console:

1. Create a read-only IAM policy for ECR access and attach it to the necessary users or service accounts.

2. Example steps to create and attach a read-only policy:

   • Go to IAM > Policies > Create policy.

   • Select JSON and paste the read-only policy.

   • Attach the policy to the service accounts or users as needed.
     
     

Using AWS CLI:

1. Create a new read-only IAM policy for ECR access:

   aws iam create-policy --policy-name ECRReadOnlyPolicy --policy-document file://ecr-read-only-policy.json

2. Attach the policy to the necessary user or service account:

   aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/ECRReadOnlyP

Backout Plan

Using AWS Console:

1. If access needs to be reverted, detach the read-only policy and reattach any broader permissions needed for write access.

Using AWS CLI:

1. To remove the read-only policy:

   aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/ECRReadOnlyPolicy

References:

1. Amazon ECR on EKS Documentation

2. AWS IAM Documentation