New Private Repository Container Image detected in AWS ECR

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).

NOTE: Amazon ECR requires that users have permission to make calls to the ecr:GetAuthorizationToken API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.

Strategy

Detect when @evt.name:PutImage is used against the ecr.amazonaws.com API.

Triage & Response

  1. Check that {{@responseElements.image.imageId.imageDigest}} is a valid sha256 hash for the container image with a tag of {{@responseElements.image.imageId.imageTag}} in the {{@responseElements.image.repositoryName}} repository on AWS Account {{@userIdentity.accountId}}.
  2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.