[New Rule] AWS Elastic Container Registry Policy Modification

[bm11100]

Description

Detects modifications to an AWS ECR policy. Ensure that ECR repositories are only shared with trusted accounts, and that the trusted accounts truly need access. Restrict access to IAM permissions that could lead to exposure of your ECR repositories.

Required Info

Target indexes

filebeat-*
logs-aws*

Platforms

aws

Tested ECS Version

tbd

Optional Info

Query

event.dataset:aws.cloudtrail and event.provider:ecr.amazonaws.com and (event.action:SetRepositoryPolicy or DeleteRepositoryPolicy or PutRegistryPolicy or DeleteRegistryPolicy) and event.outcome:success

References

https://endgame.readthedocs.io/en/latest/risks/ecr/

Example Data

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.