{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
ECR is compose by 2 types of objects: Registries and Repositories.
Registries
Every AWS account has 2 registries: Private & Public.
- Private Registries:
- Private by default: The container images stored in an Amazon ECR private registry are only accessible to authorized users within your AWS account or to those who have been granted permission.
- The URI of a private repository follows the format
<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>
- The URI of a private repository follows the format
- Access control: You can control access to your private container images using IAM policies, and you can configure fine-grained permissions based on users or roles.
- Integration with AWS services: Amazon ECR private registries can be easily integrated with other AWS services, such as EKS, ECS...
- Other private registry options:
- The Tag immutability column lists its status, if tag immutability is enabled it will prevent image pushes with pre-existing tags from overwriting the images.
- The Encryption type column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has KMS enabled encryptions.
- The Pull through cache column lists its status, if Pull through cache status is Active it will cache repositories in an external public repository into your private repository.
- Specific IAM policies can be configured to grant different permissions.
- The scanning configuration allows to scan for vulnerabilities in the images stored inside the repo.
- Public Registries:
- Public accessibility: Container images stored in an ECR Public registry are accessible to anyone on the internet without authentication.
- The URI of a public repository is like
public.ecr.aws/<random>/<name>
. Although the<random>
part can be changed by the admin to another string easier to remember.
- The URI of a public repository is like
Repositories
These are the images that in the private registry or to the public one.
{% hint style="info" %} Note that in order to upload an image to a repository, the ECR repository need to have the same name as the image. {% endhint %}
Registries & repositories also have policies that can be used to grant permissions to other principals/accounts. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
{% code overflow="wrap" %}
# Get repos
aws ecr describe-repositories
aws ecr describe-registry
# Get image metadata
aws ecr list-images --repository-name <repo_name>
aws ecr describe-images --repository-name <repo_name>
aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>
# Get public repositories
aws ecr-public describe-repositories
# Get policies
aws ecr get-registry-policy
aws ecr get-repository-policy --repository-name <repo_name>
{% endcode %}
{% content-ref url="../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md" %} aws-ecr-unauthenticated-enum.md {% endcontent-ref %}
In the following page you can check how to abuse ECR permissions to escalate privileges:
{% content-ref url="../aws-privilege-escalation/aws-ecr-privesc.md" %} aws-ecr-privesc.md {% endcontent-ref %}
{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %} aws-ecr-post-exploitation.md {% endcontent-ref %}
{% content-ref url="../aws-persistence/aws-ecr-persistence.md" %} aws-ecr-persistence.md {% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.