AWS - ECR Privesc
ECR
ecr:GetAuthorizationToken
,ecr:BatchGetImage
ecr:GetAuthorizationToken
,ecr:BatchGetImage
An attacker with the ecr:GetAuthorizationToken
and ecr:BatchGetImage
can login to ECR and download images.
For more info on how to download images:
AWS - ECR Post ExploitationPotential Impact: Indirect privesc by intercepting sensitive information in the traffic.
ecr:GetAuthorizationToken
, ecr:BatchCheckLayerAvailability
, ecr:CompleteLayerUpload
, ecr:InitiateLayerUpload
, ecr:PutImage
, ecr:UploadLayerPart
ecr:GetAuthorizationToken
, ecr:BatchCheckLayerAvailability
, ecr:CompleteLayerUpload
, ecr:InitiateLayerUpload
, ecr:PutImage
, ecr:UploadLayerPart
An attacker with the all those permissions can login to ECR and upload images. This can be useful to escalate privileges to other environments where those images are being used.
To learn how to upload a new image/update one, check:
AWS - EKS Enumecr-public:GetAuthorizationToken
, ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload
, ecr-public:InitiateLayerUpload, ecr-public:PutImage
, ecr-public:UploadLayerPart
ecr-public:GetAuthorizationToken
, ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload
, ecr-public:InitiateLayerUpload, ecr-public:PutImage
, ecr-public:UploadLayerPart
Like the previous section, but for public repositories.
ecr:SetRepositoryPolicy
ecr:SetRepositoryPolicy
An attacker with this permission could change the repository policy to grant himself (or even everyone) read/write access. For example, in this example read access is given to everyone.
Contents of my-policy.json
:
ecr-public:SetRepositoryPolicy
ecr-public:SetRepositoryPolicy
Like the previoous section, but for public repositories. An attacker can modify the repository policy of an ECR Public repository to grant unauthorized public access or to escalate their privileges.
Potential Impact: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images.
ecr:PutRegistryPolicy
ecr:PutRegistryPolicy
An attacker with this permission could change the registry policy to grant himself, his account (or even everyone) read/write access.
Last updated