Links

AWS - ECR Enum

AWS - ECR Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

ECR

Basic Information

Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
ECR is compose by 2 types of objects: Registries and Repositories.
Registries
Every AWS account has 2 registries: Private & Public.
  1. 1.
    Private Registries:
  • Private by default: The container images stored in an Amazon ECR private registry are only accessible to authorized users within your AWS account or to those who have been granted permission.
    • The URI of a private repository follows the format <account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>
  • Access control: You can control access to your private container images using IAM policies, and you can configure fine-grained permissions based on users or roles.
  • Integration with AWS services: Amazon ECR private registries can be easily integrated with other AWS services, such as EKS, ECS...
  • Other private registry options:
    • The Tag immutability column lists its status, if tag immutability is enabled it will prevent image pushes with pre-existing tags from overwriting the images.
    • The Encryption type column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has KMS enabled encryptions.
    • The Pull through cache column lists its status, if Pull through cache status is Active it will cache repositories in an external public repository into your private repository.
    • Specific IAM policies can be configured to grant different permissions.
    • The scanning configuration allows to scan for vulnerabilities in the images stored inside the repo.
  1. 2.
    Public Registries:
  • Public accessibility: Container images stored in an ECR Public registry are accessible to anyone on the internet without authentication.
    • The URI of a public repository is like public.ecr.aws/<random>/<name>. Although the <random> part can be changed by the admin to another string easier to remember.
Repositories
These are the images that in the private registry or to the public one.
Note that in order to upload an image to a repository, the ECR repository need to have the same name as the image.

Registry & Repository Policies

Registries & repositories also have policies that can be used to grant permissions to other principals/accounts. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:

Enumeration

# Get repos
aws ecr describe-repositories
aws ecr describe-registry
# Get image metadata
aws ecr list-images --repository-name <repo_name>
aws ecr describe-images --repository-name <repo_name>
aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>
# Get public repositories
aws ecr-public describe-repositories
# Get policies
aws ecr get-registry-policy
aws ecr get-repository-policy --repository-name <repo_name>

Unauthenticated Enum

Privesc

In the following page you can check how to abuse ECR permissions to escalate privileges:

Post Exploitation

Persistence

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: