---
title: ECR private repositories should not grant public image uploads
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > ECR private repositories should not
  grant public image uploads
---

# ECR private repositories should not grant public image uploads
 
## Description{% #description %}

Identify when Amazon Elastic Container Repositories container images can be created or overwritten by anyone.

## Rationale{% #rationale %}

Publicly accessible Amazon Elastic Container Repositories (ECR) allows unauthorized users access to private container image repositories. This can lead to tampering with mutable container images potentially leading to unauthorized access to infrastructure or data.

## Remediation{% #remediation %}

1. First, retrieve the current policy of the repository. Replace,, andwith your actual values:
   ```
   aws ecr get-repository-policy --region <region> --registry-id <account-id> --repository-name <repository-name>
   ```
1. Open the policy.json file in a text editor. Look for the statement that grants public access (the one with "Principal": "*") and remove it.
1. After editing the policy, apply the updated policy to the repository:
   ```
       aws ecr set-repository-policy --region <region> --registry-id <account-id> --repository-name <repository-name> --policy-text file://policy.json 
   ```