ECR Repository Is Publicly Accessible

  • Query id: fb5a5df7-6d74-4243-ab82-ff779a958bfd
  • Query name: ECR Repository Is Publicly Accessible
  • Platform: Ansible
  • Severity: Critical
  • Category: Access Control
  • CWE: 668
  • URL: Github

Description

Amazon ECR image repositories shouldn't have public access
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: set-policy as object
  community.aws.ecs_ecr:
    name: needs-policy-object
    policy:
      Version: '2008-10-17'
      Statement:
        - Sid: read-only
          Effect: Allow
          Principal: '*'
          Action:
            - ecr:GetDownloadUrlForLayer
            - ecr:BatchGetImage
            - ecr:BatchCheckLayerAvailability
- name: set-policy as string
  community.aws.ecs_ecr:
    name: needs-policy-string
    policy: >
        {
          "Id": "id113",
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "s3:put"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:s3:::S3B_181355/*",
              "Principal": "*"
            }
          ]
        }

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: set-policy as object
  community.aws.ecs_ecr:
    name: needs-policy-object
    policy:
      Version: '2008-10-17'
      Statement:
      - Sid: read-only
        Effect: Allow
        Action:
        - ecr:GetDownloadUrlForLayer
        - ecr:BatchGetImage
        - ecr:BatchCheckLayerAvailability