heroui logo

AWS ECR Repository or Registry Policy Granted Public Access

Elastic Detection Rules

View Source
Summary
Detects when an Amazon ECR repository or registry policy is modified to grant public access via a wildcard principal in SetRepositoryPolicy or PutRegistryPolicy events. The rule analyzes AWS CloudTrail events from ecr.amazonaws.com with actions SetRepositoryPolicy or PutRegistryPolicy and a successful outcome. It inspects the policy_document in aws.cloudtrail.request_parameters for an Allow statement that authorizes Principal:* or Principal: { AWS: * }. Such a configuration could allow anonymous or broad access to container images (and potentially pushes if PutImage/UploadLayerPart are allowed), risking exposure of proprietary images and embedded secrets. While public access can be legitimate for distribution, the rule highlights changes that require validation of intent. The included triage guidance covers identifying the actor, extracting and scrutinizing the granted actions (pull vs push), verifying whether a Deny worded constraint exists, and determining the affected repository and subsequent activity. False positives are possible when distribution requires public access, so confirmation of intent and restricted permissions is recommended. The rule maps to MITRE ATT&CK technique T1537 (Transfer Data to Cloud Account) under Exfiltration, and is implemented via CloudTrail ingestion through the Elastic AWS integration. References to AWS API and policy guidance are provided.
Categories
  • Cloud
  • AWS
  • Containers
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1537
Created: 2026-06-29