Skip to content

AWS ECR Repository Credential

Service Name: Amazon Elastic Container Registry

Service Description: Amazon Elastic Container Registry (ECR) is a fully managed container registry service provided by AWS that makes it easy to store, manage, and deploy Docker container images. It integrates with Amazon ECS, Amazon EKS, and other container orchestration services.

Service Address: https://aws.amazon.com/ecr/

Validation Type: API Auth

IP Allow list: IP Restriction is available per repository using AWS IAM policies and resource-based policies.

Secret Access Scope: Grants access to push, pull, and manage container images in specific ECR repositories. These credentials are typically temporary and are obtained through the AWS CLI using the get-login-password command.

Secret Revokement URL: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html

Secret Example: AWS:eyJwYXlsb2FkIjoiQ2ZqSWVBPT0iLCJzaWduYXR1cmUiOiJLZUV4YW1wbGVTaWduYXR1cm VWYWx1ZT0ifQ==

Suspicious Activity Investigation Instructions:

  • Review CloudTrail logs for unusual ECR API calls, especially PutImage, BatchDeleteImage, or InitiateLayerUpload.
  • Check for unexpected image pushes or pulls in your ECR repositories.
  • Monitor for unauthorized repository creation or deletion.
  • Look for unusual IP addresses or locations accessing your ECR repositories.
  • Review IAM roles and users with ECR permissions for any unauthorized changes.

Mitigation Instructions:

  • Rotate the AWS credentials that were used to generate the ECR authentication token.
  • Update IAM policies to restrict ECR access to only necessary users and roles.
  • Enable AWS ECR repository scanning to detect vulnerabilities in container images.
  • Implement lifecycle policies to automatically clean up unused images.
  • Enable AWS CloudTrail to monitor ECR API calls.
  • Consider implementing private endpoints using AWS PrivateLink to restrict network access to your ECR repositories.
  • Use repository policies to further restrict access to specific repositories.
  • Implement image tag immutability to prevent overwriting of existing image tags.