Monitor Amazon ECR repositories for wildcard permissions using AWS CloudFormation and AWS Config
Created by Vikrant Telkar (AWS), Sajid Momin (AWS), and Wassim Benhallam (AWS)
Environment: Production | Technologies: DevOps; Containers & microservices | AWS services: AWS CloudFormation; AWS Config; Amazon ECR; Amazon SNS; AWS Lambda |
Summary
On the Amazon Web Services (AWS) Cloud, Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service that supports private repositories with resource-based permissions using AWS Identity and Access Management (IAM).
IAM supports the “*
” wildcard in both the resource and action attributes, which makes it easier to automatically choose multiple matching items. In your testing environment, you can allow all authenticated AWS users to access an Amazon ECR repository by using the ecr:*
wildcard permission in a principal element for your repository policy statement. The ecr:*
wildcard permission can be useful when developing and testing in development accounts that can't access your production data.
However, you must make sure that the ecr:*
wildcard permission is not used in your production environments because it can cause serious security vulnerabilities. This pattern’s approach helps you to identify Amazon ECR repositories that contain the ecr:*
wildcard permission in repository policy statements.
The pattern provides steps and an AWS CloudFormation template to create a custom rule in AWS Config. An AWS Lambda function then monitors your Amazon ECR repository policy statements for ecr:*
wildcard permissions. If it finds non-compliant repository policy statements, Lambda notifies AWS Config to send an event to Amazon EventBridge and EventBridge then initiates an Amazon Simple Notification Service (Amazon SNS) topic. The SNS topic notifies you by email about the non-compliant repository policy statements.
Prerequisites and limitations
Prerequisites
An active AWS account.
AWS Command Line Interface (AWS CLI), installed and configured. For more information about this, see Installing, updating, and uninstalling the AWS CLI in the AWS CLI documentation.
An existing Amazon ECR repository with an attached policy statement, installed and configured in your testing environment. For more information about this, see Creating a private repository and Setting a repository policy statement in the Amazon ECR documentation.
AWS Config, configured in your preferred AWS Region. For more information about this, see Getting started with AWS Config in the AWS Config documentation.
The
aws-config-cloudformation.template
file (attached), downloaded to your local machine.
Limitations
This pattern’s solution is Regional and your resources must be created in the same Region.
Architecture
The following diagram shows how AWS Config evaluates Amazon ECR repository policy statements.
The diagram shows the following workflow:
AWS Config initiates a custom rule.
The custom rule invokes a Lambda function to evaluate the compliance of the Amazon ECR repository policy statements. The Lambda function then identifies non-compliant repository policy statements.
The Lambda function sends the non-compliance status to AWS Config.
AWS Config sends an event to EventBridge.
EventBridge publishes the non-compliance notifications to an SNS topic.
Amazon SNS sends an email alert to you or an authorized user.
Automation and scale
This pattern’s solution can monitor any number of Amazon ECR repository policy statements, but all resources that you want to evaluate must be created in the same Region.
Tools
AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.
AWS Config – AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Amazon ECR – Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using IAM.
Amazon EventBridge – Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your applications, software as a service (SaaS) applications, and AWS services to targets such as AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other accounts.
AWS Lambda – AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time that you consume—there is no charge when your code is not running.
Amazon SNS – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.
Code
The code for this pattern is available in the aws-config-cloudformation.template
file (attached).
Epics
Task | Description | Skills required |
---|---|---|
Create the AWS CloudFormation stack. | Create an AWS CloudFormation stack by running the following command in AWS CLI:
| AWS DevOps |
Task | Description | Skills required |
---|---|---|
Test the AWS Config custom rule. |
| AWS DevOps |
Attachments
To access additional content that is associated with this document, unzip the following file: attachment.zip