---
title: ECR repository policies should not allow wildcard principals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > ECR repository policies should not
  allow wildcard principals
---

# ECR repository policies should not allow wildcard principals
 
## Description{% #description %}

ECR repository resource policies should not grant access to wildcard principals (`Principal: "*"`) without scoping conditions. An unconditional wildcard principal allows any AWS account or unauthenticated user to access the resource, creating a significant security risk. Wildcard principals scoped by policy conditions (such as `aws:SourceAccount`, `aws:SourceArn`, or `aws:PrincipalOrgID`) are not flagged, because the condition restricts effective access.

## Remediation{% #remediation %}

Update the repository policy to specify explicit AWS account IDs or IAM principals. Alternatively, add scoping conditions that restrict access. For guidance, refer to [Repository policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html).