Amazon Elastic Container Registry (ECR)
| Identifier | Guardrail | Rationale | Remediation | References | Policy | IAM Actions |
|---|---|---|---|---|---|---|
| IAM-ECR-1 | Check that sensitive ECR calls such as BatchDeleteImages, DeleteRepository are for authorized principals only. | ECR contains Docker images which would be used by mulitple project groups . Developers/app owners should be allowed to delete images, but deleting an entire repo should be a privileged action since it might affect images still being used by other team members. | usage of ecr:ResourceTag/${TagKey} to limit deletion of repo to only the rightful owner OR removal of the action entirely (contingent to separation of duties and roles in the organization) OR have MFA in the condition | Resource policy | ||
| IAM-ECR-2 | Check that only authorized principals are able to pull images from ECR. | An authorization token is used to manage authorization to ECR. Only authorized principals should have the ability to retrieve the authorization token, in order to protect any images in ECR. | For the action ecr:GetAuthorizationToken either: Explicitly grant to a list of authorized principals OR Consider usingaws:PrincipalOrgPathswhen multiple AWS Accounts need access. | https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryReadOnly https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html |
nan | ecr:GetAuthorizationToken |