Ensure ECR repositories do not allow cross account access to accounts outside your organization

Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. Since docker containers need to interact with other services such as Databases, apis etc, sensitive data my be contained with the docker image. For this reason it is considered a security best practice to not allow access to other accounts outside of your organization. Ensuring that it is restricted will help you with PCI-DSS and GDPR Compliance.

Audit & Remediation

  • Login into your AWS account
  • Navigate to the ECR service at: https://console.aws.amazon.com/ecr
  • On the ECR main page, select the hyperlink for the repo you would like to inspect.

 

 

  • On the left hand panel, under Amazon ECR, under Repositories select Permissions.
  • In the main panel, under Permissions if you see information, an access policy has been set.
  • Validate under the Effect where it states Allow that the AWS Account IDs does not include an account outside of your organization.

 

 

  • If an account outside your organization is set, select the orange Edit button in the top right hand.
  • Remove the account under th AWS account IDs - optional in order to remove access to the specific AWS account(s).
  • Add in a Service principle for with-in your account or if cross account access is needed, specify the account numbers in your own organization.

 

 

  • Repeat the outlined steps for each repository.
  • Repeat the outlined steps for each region that you have ECR repositories in.
  • Repeat the outlined steps for each AWS account that you have.
See all of your AWS EC2 Instances in a single place!

Do you want to see all of your AWS EC2 Instances in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

 

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +