AWS Private ECR repository policy is overly permissive
Description
This policy identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.
Code Example
go
resource "aws_ecr_repository_policy" "example" {
repository = aws_ecr_repository.example.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
Resource = aws_ecr_repository.example.arn
Principal = {
AWS = "arn:aws:iam::123456789012:role/your-role"
}
}
]
})
}Remediation
Terraform
To fix this issue, ensure that the `policy` property in the `aws_ecr_repository_policy` resource does not allow public access.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0086 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_32 |