Skip to main content

ECR registry with public access can lead to code and data leak

  • GG_ID: GG_IAC_0041
  • Severity: HIGH
  • Complexity: LOW
  • Categories: PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: False


Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service.

Some policies attached to the registry allow actions from any AWS account. This means that actions enabled by these policies could be performed by anyone.


The impact varies depending on the public policies.

  • With read access to the images, an attacker could have access to confidential code or data.
  • With write access to the images, an attacker could replace images, leading to code injection.

Remediation guidelines#

Limit policies to the AWS accounts that need access to the registry.

External documentation#