New Private Repository Container Image detected in AWS ECR
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우
언제든지 연락주시기 바랍니다.Goal
Detect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).
NOTE: Amazon ECR requires that users have permission to make calls to the ecr:GetAuthorizationToken
API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.
Strategy
Detect when @evt.name:PutImage
is used against the ecr.amazonaws.com
API.
Triage & Response
- Check that
{{@responseElements.image.imageId.imageDigest}}
is a valid sha256 hash for the container image with a tag of {{@responseElements.image.imageId.imageTag}}
in the {{@responseElements.image.repositoryName}}
repository on AWS Account {{@userIdentity.accountId}}
. - If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.