ECR private repositories should not grant public image downloads
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Identify when Amazon Elastic Container Repositories container images can be downloaded by anyone.
Rationale
Publicly accessible Amazon Elastic Container Repositories (ECR) allows unauthorized users access to private container image repositories. Allowing the ability to download private images can lead to source code, secrets, or other sensitive information being exposed to unauthorized users.
- First, retrieve the current policy of the repository. Replace , , and with your actual values:
aws ecr get-repository-policy --region <region> --registry-id <account-id> --repository-name <repository-name>
- Open the policy.json file in a text editor. Look for the statement that grants public access (the one with “Principal”: “*”) and remove it.
- After editing the policy, apply the updated policy to the repository:
aws ecr set-repository-policy --region <region> --registry-id <account-id> --repository-name <repository-name> --policy-text file://policy.json