ECR image repository has public access

ID

aws_ecr_repository_public

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

ECR image repository has public access. Access control to ECR repositories is managed by policies. A public ECR repository can expose internal images that contain confidential information.

To fix it, you must configure a policy without access to all users, i.e. Principal: "*".

Learn more about this topic at AWS ECR.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: set-policy as object
      community.aws.ecs_ecr:
        name: needs-policy-object
        policy:
          Version: '2008-10-17'
          Statement:
            - Sid: all
              Effect: Allow
              Principal: "*"
              Action:
                - ecr:GetDownloadUrlForLayer
                - ecr:BatchGetImage
                - ecr:BatchCheckLayerAvailability

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: set-policy as object
      community.aws.ecs_ecr:
        name: needs-policy-object
        policy:
          Version: '2008-10-17'
          Statement:
            - Sid: read-only
              Effect: Allow
              Principal:
                AWS: '{{ read_only_arn }}'
              Action:
                - ecr:GetDownloadUrlForLayer
                - ecr:BatchGetImage
                - ecr:BatchCheckLayerAvailability