AWS - ECR Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
ECR is compose by 2 types of objects: Registries and Repositories.
Registries
Every AWS account has 2 registries: Private & Public.
Private Registries:
Private by default: The container images stored in an Amazon ECR private registry are only accessible to authorized users within your AWS account or to those who have been granted permission.
The URI of a private repository follows the format <account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>
Access control: You can control access to your private container images using IAM policies, and you can configure fine-grained permissions based on users or roles.
Integration with AWS services: Amazon ECR private registries can be easily integrated with other AWS services, such as EKS, ECS...
Other private registry options:
The Tag immutability column lists its status, if tag immutability is enabled it will prevent image pushes with pre-existing tags from overwriting the images.
The Encryption type column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has KMS enabled encryptions.
The Pull through cache column lists its status, if Pull through cache status is Active it will cache repositories in an external public repository into your private repository.
Specific IAM policies can be configured to grant different permissions.
The scanning configuration allows to scan for vulnerabilities in the images stored inside the repo.
Public Registries:
Public accessibility: Container images stored in an ECR Public registry are accessible to anyone on the internet without authentication.
The URI of a public repository is like public.ecr.aws/<random>/<name>
. Although the <random>
part can be changed by the admin to another string easier to remember.
Repositories
These are the images that in the private registry or to the public one.
Note that in order to upload an image to a repository, the ECR repository need to have the same name as the image.
Registries & repositories also have policies that can be used to grant permissions to other principals/accounts. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
In the following page you can check how to abuse ECR permissions to escalate privileges:
AWS - ECR PrivescLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)