ECR repository is publicly accessible
This product is not supported for your selected
Datadog site. (
).
Id: 75be209d-1948-41f6-a8c8-e22dd0121134
Cloud Provider: AWS
Platform: CloudFormation
Severity: Critical
Category: Access Control
Learn More
Description
Amazon ECR repository policies that allow wildcard principals (*) grant public access to container images, enabling any AWS account or unauthenticated user to pull or push images. This increases the risk of data exposure, unauthorized deployments, and supply-chain compromise.
The RepositoryPolicyText property of AWS::ECR::Repository resources must not contain Statement entries where Effect is Allow and the Principal includes *. This rule flags repository policy statements with Principal set to * and Effect set to Allow. Instead, specify explicit principals such as AWS account ARNs, IAM roles, or service principals and apply least-privilege actions and conditions.
Secure configuration example (restrict to a specific AWS account):
MyRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: my-repo
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "arn:aws:iam::123456789012:root"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/my-repo"
Compliant Code Examples
Resources:
MyRepository1:
Type: AWS::ECR::Repository
Properties:
RepositoryName: "test-repository"
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
-
Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
- "arn:aws:iam::123456789012:user/Bob"
- "arn:aws:iam::123456789012:user/Alice"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
{
"Resources": {
"MyRepository2": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "test-repository",
"RepositoryPolicyText": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/Bob",
"arn:aws:iam::123456789012:user/Alice"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"MyRepository4": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "test-repository",
"RepositoryPolicyText": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
}
}
}
}
Resources:
MyRepository3:
Type: AWS::ECR::Repository
Properties:
RepositoryName: "test-repository"
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
-
Sid: AllowPushPull
Effect: Allow
Principal: "*"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
