Summary Prerequisites and limitations Architecture Tools Epics Attachments

Monitor Amazon ECR repositories for wildcard permissions using AWS CloudFormation and AWS Config

Created by Vikrant Telkar (AWS), Sajid Momin (AWS), and Wassim Benhallam (AWS)

Environment: Production

Technologies: DevOps; Containers & microservices

AWS services: AWS CloudFormation; AWS Config; Amazon ECR; Amazon SNS; AWS Lambda

Summary

On the Amazon Web Services (AWS) Cloud, Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service that supports private repositories with resource-based permissions using AWS Identity and Access Management (IAM).

IAM supports the “*” wildcard in both the resource and action attributes, which makes it easier to automatically choose multiple matching items. In your testing environment, you can allow all authenticated AWS users to access an Amazon ECR repository by using the ecr:* wildcard permission in a principal element for your repository policy statement. The ecr:* wildcard permission can be useful when developing and testing in development accounts that can't access your production data.

However, you must make sure that the ecr:* wildcard permission is not used in your production environments because it can cause serious security vulnerabilities. This pattern’s approach helps you to identify Amazon ECR repositories that contain the ecr:* wildcard permission in repository policy statements. The pattern provides steps and an AWS CloudFormation template to create a custom rule in AWS Config. An AWS Lambda function then monitors your Amazon ECR repository policy statements for ecr:* wildcard permissions. If it finds non-compliant repository policy statements, Lambda notifies AWS Config to send an event to Amazon EventBridge and EventBridge then initiates an Amazon Simple Notification Service (Amazon SNS) topic. The SNS topic notifies you by email about the non-compliant repository policy statements.

Prerequisites and limitations

Prerequisites

An active AWS account.
AWS Command Line Interface (AWS CLI), installed and configured. For more information about this, see Installing, updating, and uninstalling the AWS CLI in the AWS CLI documentation.
An existing Amazon ECR repository with an attached policy statement, installed and configured in your testing environment. For more information about this, see Creating a private repository and Setting a repository policy statement in the Amazon ECR documentation.
AWS Config, configured in your preferred AWS Region. For more information about this, see Getting started with AWS Config in the AWS Config documentation.
The aws-config-cloudformation.template file (attached), downloaded to your local machine.

Limitations

This pattern’s solution is Regional and your resources must be created in the same Region.

Architecture

The following diagram shows how AWS Config evaluates Amazon ECR repository policy statements.

The diagram shows the following workflow:

AWS Config initiates a custom rule.
The custom rule invokes a Lambda function to evaluate the compliance of the Amazon ECR repository policy statements. The Lambda function then identifies non-compliant repository policy statements.
The Lambda function sends the non-compliance status to AWS Config.
AWS Config sends an event to EventBridge.
EventBridge publishes the non-compliance notifications to an SNS topic.
Amazon SNS sends an email alert to you or an authorized user.

Automation and scale

This pattern’s solution can monitor any number of Amazon ECR repository policy statements, but all resources that you want to evaluate must be created in the same Region.

Tools

AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.
AWS Config – AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Amazon ECR – Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using IAM.
Amazon EventBridge – Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your applications, software as a service (SaaS) applications, and AWS services to targets such as AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other accounts.
AWS Lambda – AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time that you consume—there is no charge when your code is not running.
Amazon SNS – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.

Code

The code for this pattern is available in the aws-config-cloudformation.template file (attached).

Epics

Task Description Skills required

Create the AWS CloudFormation stack.

Task	Description	Skills required
Create the AWS CloudFormation stack.	Create an AWS CloudFormation stack by running the following command in AWS CLI: `$ aws cloudformation create-stack --stack-name=AWSConfigECR \ --template-body file://aws-config-cloudformation.template \ --parameters ParameterKey=<email>,ParameterValue=<myemail@example.com> \ --capabilities CAPABILITY_NAMED_IAM`	AWS DevOps

Create an AWS CloudFormation stack by running the following command in AWS CLI:


$ aws cloudformation create-stack --stack-name=AWSConfigECR \
    --template-body  file://aws-config-cloudformation.template \
    --parameters ParameterKey=<email>,ParameterValue=<myemail@example.com> \
    --capabilities CAPABILITY_NAMED_IAM

AWS DevOps

Task	Description	Skills required
Test the AWS Config custom rule.	Sign in to the AWS Management Console, open the AWS Config console, and then choose Resources. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. An Amazon ECR repository that contains `ecr:` is `NON-COMPLIANT?` and an Amazon ECR repository that doesn't contain `ecr:` is `COMPLIANT`. The email address subscribed to the SNS topic receives notifications if an Amazon ECR repository contains non-compliant policy statements.	AWS DevOps

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Manage blue/green deployments of microservices to multiple accounts and Regions

Perform custom actions from AWS CodeCommit events