Elastic Container Registry (ECR)

General information about Elastic Container Registry

Overview

Amazon Elastic Container Registry (ECR) is an AWS managed container image registry service for hosting Docker images, Open Container Initiative (OCI) images and OCI compatible artifacts.

Registry Configuration

URIs

public.ecr.aws/<random_value_set_by_admin>/<name>              # public repo URI
<accountId>.dkr.ecr.<region>.amazonaws.com/<repo_name>         # private repo URI

Permissions

Configured with either IAM Policy or ECR Resource Policy.

Look for misconfigured policies that allow Private repositories to be exposed! This allows all AWS principals in the world the ability to interact with this Private repository.

aws --region us-east-1 ecr get-repository-policy --repository-name tyler/my-private-registry --query policyText --output text | jq
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:PutImage",
        "ecr:DescribeImages",
        "ecr:ListImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken"
      ]
    }
  ]
}

Replication

Private repositories support both cross-region and cross-account replication.

Useful CLI Commands

aws ecr-public  # public repos
aws ecr         # private repos

Requires ecr:GetAuthorizationToken

Latest Method

REPO_URI=$(aws --region <region> ecr describe-repositories | jq -r '.repositories[].repositoryUri') \
aws ecr get-login-password --region <region> | \
docker login --username AWS --password-stdin $REPO_URI

Legacy Method

REGISTRY=$(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].proxyEndpoint' --output text) \
PASSWORD=$(echo $(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].authorizationToken' --output text) | base64 --decode | cut -d: -f2) \
echo "$PASSWORD" | docker login --username AWS --password-stdin "$REGISTRY"

Login Succeeded

Describe Repositories

aws ecr describe-repositories

{
    "repositories": [
        {
            "repositoryArn": "arn:aws:ecr:us-east-1:111111111111:repository/tyler/my-private-registry",
            "registryId": "111111111111",
            "repositoryName": "tyler/my-private-registry",
            "repositoryUri": "111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry",
            "createdAt": "2025-08-02T11:55:14.300000-06:00",
            "imageTagMutability": "MUTABLE",
            "imageScanningConfiguration": {
                "scanOnPush": false
            },
            "encryptionConfiguration": {
                "encryptionType": "AES256"
            }
        }
    ]
}

List Available Images

REPO_NAME=$(aws ecr describe-repositories | jq -r '.repositories[].repositoryName') \
aws list-images --repository-name $REPO_NAME

Push Image to Repository

You specify the Registry/Repository path i.e., 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry

Then the tag of the image you want to upload i.e., ubuntu-latest

docker tag ubuntu:latest 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

Offensive Security Tactics & Techniques

Privilege Escalation

Elastic Container Registry (ECR) | Tech with Tylerwww.techwithtyler.dev

PreviousContainers NextDatabase

Last updated 2 months ago

hashtagOverview

hashtagRegistry Configuration

hashtagURIs

hashtagPermissions

hashtagReplication

hashtagUseful CLI Commands

hashtagLogin to Registry

hashtagLatest Method

hashtagLegacy Method

hashtagDescribe Repositories

hashtagList Available Images

hashtagPush Image to Repository

hashtagOffensive Security Tactics & Techniques

hashtagPrivilege Escalation

Overview

Registry Configuration

URIs

Permissions

Replication

Useful CLI Commands

Login to Registry

Latest Method

Legacy Method

Describe Repositories

List Available Images

Push Image to Repository

Offensive Security Tactics & Techniques

Privilege Escalation