For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-ecr-repository-without-policy.md. A documentation index is available at /llms.txt.

ECR repository without policy

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-ecr-repository-without-policy

Provider: AWS

Platform: Terraform

Severity: Low

Category: Best Practices

Learn More

Description

Amazon Elastic Container Registry (ECR) repositories should have resource policies attached to them to enforce specific access controls. Without a repository policy, the repository may rely only on default AWS account permissions, which are not granular and may inadvertently allow unauthorized users or services to access, modify, or delete container images. This misconfiguration exposes the repository contents to security risks such as privilege escalation or data theft. To mitigate this, it is important to define an aws_ecr_repository_policy with the appropriate access permissions for each ECR repository.

Compliant Code Examples

resource "aws_ecr_repository" "foo" {
  name = "bar"
}

resource "aws_ecr_repository_policy" "foopolicy" {
  repository = aws_ecr_repository.foo.name

  policy = <<EOF
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "new policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy"
            ]
        }
    ]
}
EOF
}

Non-Compliant Code Examples

resource "aws_ecr_repository" "foo" {
  name = "bar"
}

resource "aws_ecr_repository" "foo2" {
  name = "bar"
}


resource "aws_ecr_repository_policy" "foopolicy" {
  repository = aws_ecr_repository.foo.name

  policy = <<EOF
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "new policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy"
            ]
        }
    ]
}
EOF
}