Skip to content

Latest commit

 

History

History
131 lines (88 loc) · 7.05 KB

File metadata and controls

131 lines (88 loc) · 7.05 KB

AWS - ECR Enum

AWS - ECR Enum

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

ECR

Basic Information

Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.

ECR is compose by 2 types of objects: Registries and Repositories.

Registries

Every AWS account has 2 registries: Private & Public.

  1. Private Registries:
  • Private by default: The container images stored in an Amazon ECR private registry are only accessible to authorized users within your AWS account or to those who have been granted permission.
    • The URI of a private repository follows the format <account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>
  • Access control: You can control access to your private container images using IAM policies, and you can configure fine-grained permissions based on users or roles.
  • Integration with AWS services: Amazon ECR private registries can be easily integrated with other AWS services, such as EKS, ECS...
  • Other private registry options:
    • The Tag immutability column lists its status, if tag immutability is enabled it will prevent image pushes with pre-existing tags from overwriting the images.
    • The Encryption type column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has KMS enabled encryptions.
    • The Pull through cache column lists its status, if Pull through cache status is Active it will cache repositories in an external public repository into your private repository.
    • Specific IAM policies can be configured to grant different permissions.
    • The scanning configuration allows to scan for vulnerabilities in the images stored inside the repo.
  1. Public Registries:
  • Public accessibility: Container images stored in an ECR Public registry are accessible to anyone on the internet without authentication.
    • The URI of a public repository is like public.ecr.aws/<random>/<name>. Although the <random> part can be changed by the admin to another string easier to remember.

Repositories

These are the images that in the private registry or to the public one.

{% hint style="info" %} Note that in order to upload an image to a repository, the ECR repository need to have the same name as the image. {% endhint %}

Registry & Repository Policies

Registries & repositories also have policies that can be used to grant permissions to other principals/accounts. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:

Enumeration

{% code overflow="wrap" %}

# Get repos
aws ecr describe-repositories
aws ecr describe-registry

# Get image metadata
aws ecr list-images --repository-name <repo_name>
aws ecr describe-images --repository-name <repo_name>
aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>

# Get public repositories
aws ecr-public describe-repositories

# Get policies
aws ecr get-registry-policy
aws ecr get-repository-policy --repository-name <repo_name>

{% endcode %}

Unauthenticated Enum

{% content-ref url="../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md" %} aws-ecr-unauthenticated-enum.md {% endcontent-ref %}

Privesc

In the following page you can check how to abuse ECR permissions to escalate privileges:

{% content-ref url="../aws-privilege-escalation/aws-ecr-privesc.md" %} aws-ecr-privesc.md {% endcontent-ref %}

Post Exploitation

{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %} aws-ecr-post-exploitation.md {% endcontent-ref %}

Persistence

{% content-ref url="../aws-persistence/aws-ecr-persistence.md" %} aws-ecr-persistence.md {% endcontent-ref %}

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}