AWS - ECR Persistence
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information check:
AWS - ECR EnumAn attacker could upload a Docker image containing malicious code to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.
Add a policy to a single repository granting yourself (or everybody) access to a repository:
Note that ECR requires that users have permission to make calls to the ecr:GetAuthorizationToken
API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.
It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to indicate the external account there you want to replicate the registry.
First, you need to give the external account access over the registry with a registry policy like:
Then apply the replication config:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)