search
LinkedInGitHubYouTube

Elastic Container Registry (ECR)

General information about Elastic Container Registry

hashtag
Overview

Amazon Elastic Container Registry (ECR)arrow-up-right is an AWS managed container image registry service for hosting Docker images, Open Container Initiative (OCI) images and OCI compatible artifacts.

hashtag
Registry Configuration

hashtag
URIs

public.ecr.aws/<random_value_set_by_admin>/<name>              # public repo URI
<accountId>.dkr.ecr.<region>.amazonaws.com/<repo_name>         # private repo URI

hashtag
Permissions

Configured with either IAM Policy or ECR Resource Policy.

triangle-exclamation

Look for misconfigured policies that allow Private repositories to be exposed! This allows all AWS principals in the world the ability to interact with this Private repository.

aws --region us-east-1 ecr get-repository-policy --repository-name tyler/my-private-registry --query policyText --output text | jq
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:PutImage",
        "ecr:DescribeImages",
        "ecr:ListImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken"
      ]
    }
  ]
}

hashtag
Replication

Private repositories support both cross-region and cross-account replicationarrow-up-right.

hashtag
Useful CLI Commands

hashtag
Login to Registry

Requires ecr:GetAuthorizationToken

hashtag
Latest Method

hashtag
Legacy Method

hashtag
Describe Repositories

hashtag
List Available Images

hashtag
Push Image to Repository

You specify the Registry/Repository path i.e., 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry

Then the tag of the image you want to upload i.e., ubuntu-latest

hashtag
Offensive Security Tactics & Techniques

hashtag
Privilege Escalation

LogoElastic Container Registry (ECR) | Tech with Tylerwww.techwithtyler.devchevron-right
PreviousContainersNextDatabase

Last updated