ECR Repository Is Publicly Accessible
- Query id: fb5a5df7-6d74-4243-ab82-ff779a958bfd
- Query name: ECR Repository Is Publicly Accessible
- Platform: Ansible
- Severity: Critical
- Category: Access Control
- CWE: 668
- URL: Github
Description¶
Amazon ECR image repositories shouldn't have public access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: set-policy as object
community.aws.ecs_ecr:
name: needs-policy-object
policy:
Version: '2008-10-17'
Statement:
- Sid: read-only
Effect: Allow
Principal: '*'
Action:
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- name: set-policy as string
community.aws.ecs_ecr:
name: needs-policy-string
policy: >
{
"Id": "id113",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:put"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::S3B_181355/*",
"Principal": "*"
}
]
}