AWS - ECR Enum

ECR

Basic Information

Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.

ECR is compose by 2 types of objects: Registries and Repositories.

Registries

Every AWS account has 2 registries: Private & Public.

1. Private Registries:

• Private by default: The container images stored in an Amazon ECR private registry are only accessible to authorized users within your AWS account or to those who have been granted permission.

  • The URI of a private repository follows the format <account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>

• Access control: You can control access to your private container images using IAM policies, and you can configure fine-grained permissions based on users or roles.

• Integration with AWS services: Amazon ECR private registries can be easily integrated with other AWS services, such as EKS, ECS...

• Other private registry options:

  • The Tag immutability column lists its status, if tag immutability is enabled it will prevent image pushes with pre-existing tags from overwriting the images.

  • The Encryption type column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has KMS enabled encryptions.

  • The Pull through cache column lists its status, if Pull through cache status is Active it will cache repositories in an external public repository into your private repository.

  • Specific IAM policies can be configured to grant different permissions.

  • The scanning configuration allows to scan for vulnerabilities in the images stored inside the repo.

2. Public Registries:

• Public accessibility: Container images stored in an ECR Public registry are accessible to anyone on the internet without authentication.

  • The URI of a public repository is like public.ecr.aws/<random>/<name>. Although the <random> part can be changed by the admin to another string easier to remember.

Repositories

These are the images that in the private registry or to the public one.

Registry & Repository Policies

Registries & repositories also have policies that can be used to grant permissions to other principals/accounts. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:

Enumeration

# Get repos
aws ecr describe-repositories
aws ecr describe-registry

# Get image metadata
aws ecr list-images --repository-name <repo_name>
aws ecr describe-images --repository-name <repo_name>
aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>

# Get public repositories
aws ecr-public describe-repositories

# Get policies
aws ecr get-registry-policy
aws ecr get-repository-policy --repository-name <repo_name>

Unauthenticated Enum

Privesc

In the following page you can check how to abuse ECR permissions to escalate privileges:

Post Exploitation

Persistence

References

• https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html