AWS ECR public repository modified to allow global write access
Description
AlphaSOC detected that an AWS Elastic Container Registry (ECR) public repository
was modified to allow global write access using the SetRepositoryPolicy
action. This API call changes the permissions on an AWS ECR public repository,
potentially granting unrestricted write access to anyone. Threat actors can
exploit this misconfiguration to push malicious container images, overwrite
existing images, or tamper with the repository's contents.
Impact
Allowing global write access to an AWS ECR public repository compromises the security of the stored container images. This misconfiguration could lead to the distribution of malware-infected images, data exfiltration, or service disruptions if malicious images are deployed.
Severity
| Severity | Condition |
|---|---|
Medium | AWS ECR public repository modified to allow global write access |
Investigation and Remediation
Review AWS CloudTrail logs and investigate which IAM user or role modified the repository policy to allow global write access. Verify whether the action was authorized. If unauthorized, revert the changes by updating the repository policy to restrict write access to authorized users and roles. Conduct a thorough security audit to identify and address other potential threats.