iCompaas Support

Profile Applicability:
 • Level 1

Description:
 Use approved container registries.

Rationale:
 Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.

Impact:
 All container images deployed to the cluster must be hosted within an approved container image registry. This reduces the risk of introducing unverified or potentially insecure container images into your environment.

Default Value:

• Identify all container image registries being used within the organization.

• Review any third-party registries and verify their compliance with your organization's security policies.

• Ensure no unapproved container registries are being used to deploy images into the Kubernetes cluster.
  
  

Remediation

Test Plan:

Using AWS Console 

1. Navigate to Amazon ECR in the AWS Console and review the accessible repositories to confirm that only the approved registries are being used.

Using AWS CLI:
1. To list the repositories and confirm that only approved registries are in use, run:

aws ecr describe-repositories --region <region>

Implementation Plan

Using AWS Console:

1. Set up IAM policies to restrict access to specific Amazon ECR repositories, ensuring that only approved registries are accessible.

2. Apply the ImagePolicyWebhook or similar admission controllers to enforce the use of only approved registries.

Using AWS CLI:

1. Use the AWS CLI to create and apply policies that restrict access to only the approved container registries.
   
   

Backout Plan

Using AWS Console

1. Revert Access Control Changes: If necessary, revert the IAM policies restricting access to registries to their previous state. This will restore access to unapproved registries if an issue occurs during remediation.

2. Rollback Registry Approval Process: If the approval process proves too restrictive or challenging, rollback to the previous method of registry management.

Using AWS CLI:

1. To revert the policy settings and allow other registries:

aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/ECRReadOnlyPolicy
aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/ECRReadOnlyPolicy

References:

1. Using Open Policy Agent on Amazon EKS

2. Amazon ECR User Guide