ECR registry with public access can lead to code and data leak
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | AWS | PERMISSION |
Description
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service.
Some policies attached to the registry allow actions from any AWS account. This means that actions enabled by these policies could be performed by anyone.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | False |
The impact varies depending on the public policies.
- With read access to the images, an attacker could have access to confidential code or data.
- With write access to the images, an attacker could replace images, leading to code injection.
Remediation guidelines
Limit policies to the AWS accounts that need access to the registry.