AWS ECR Repository or Registry Policy Granted Public Access

Detects when an Amazon ECR repository or registry policy is modified to grant public access using a wildcard principal (Principal:"") statement. This rule analyzes SetRepositoryPolicy and PutRegistryPolicy events whose policy document grants an Allow effect to a wildcard ("") principal, indicating that pull (and potentially push) permissions were extended to all identities, including unauthenticated users. A public container registry can expose proprietary images and any secrets baked into their layers, and, if push is allowed, enables supply-chain implantation. Public ECR access is sometimes intentional for image distribution, so the granting principal and the permissions should be validated.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/29"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an Amazon ECR repository or registry policy is modified to grant public access using a wildcard principal
 11(Principal:"*") statement. This rule analyzes SetRepositoryPolicy and PutRegistryPolicy events whose policy document grants an Allow effect to a
 12wildcard ("*") principal, indicating that pull (and potentially push) permissions were
 13extended to all identities, including unauthenticated users. A public container registry can expose proprietary images
 14and any secrets baked into their layers, and, if push is allowed, enables supply-chain implantation. Public ECR access
 15is sometimes intentional for image distribution, so the granting principal and the permissions should be validated.
 16"""
 17false_positives = [
 18    """
 19    Repositories used to distribute public images may legitimately contain Principal:"*". This rule does not by itself
 20    determine whether a Deny statement restricts the same access; review the full policy in
 21    "aws.cloudtrail.request_parameters" and confirm the granted actions (pull-only versus push) and whether public
 22    exposure is intended.
 23    """,
 24]
 25from = "now-15m"
 26interval = "10m"
 27language = "esql"
 28license = "Elastic License v2"
 29name = "AWS ECR Repository or Registry Policy Granted Public Access"
 30note = """## Triage and analysis
 31
 32### Investigating AWS ECR Repository or Registry Policy Granted Public Access
 33
 34This rule detects "SetRepositoryPolicy" or "PutRegistryPolicy" calls where the policy document grants an Allow effect to a wildcard ("*") principal, granting access to all identities. A public ECR repository allows anyone to pull its images, exposing proprietary code and any secrets embedded in image layers; if push actions are granted, an adversary can implant a malicious image that downstream ECS, EKS, or Lambda workloads then run.
 35
 36### Possible investigation steps
 37
 38- Identify the actor in "aws.cloudtrail.user_identity.arn" and "aws.cloudtrail.user_identity.type", and review "source.ip" and "user_agent.original" for an unexpected origin or tool.
 39- Extract the policy from "aws.cloudtrail.request_parameters" and identify the granted actions; pull actions (BatchGetImage, GetDownloadUrlForLayer) expose images, while push actions (PutImage, UploadLayerPart) enable implantation.
 40- Confirm whether a Deny statement restricts the same access, in which case the alert may be a false positive.
 41- Determine which repository is affected and whether it contains sensitive images, and correlate with subsequent pull or push activity from external principals.
 42
 43### False positive analysis
 44
 45- Public image distribution legitimately uses Principal:"*". Confirm the exposure is intended, the actions are pull-only, and the granting principal is approved.
 46
 47### Response and remediation
 48
 49- If the exposure is unauthorized, restore a known-good policy or remove the public statement, and review for any external pulls or pushes since the change.
 50- Rotate or restrict credentials for the principal if compromise is suspected, and restrict "ecr:SetRepositoryPolicy" and "ecr:PutRegistryPolicy" to trusted administrators.
 51"""
 52references = [
 53    "https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_SetRepositoryPolicy.html",
 54    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html",
 55]
 56risk_score = 47
 57rule_id = "699fdfb9-8430-4dcb-b5a9-da67dae64808"
 58setup = "This rule requires AWS CloudTrail logs ingested via the Elastic AWS integration. See https://docs.elastic.co/integrations/aws/cloudtrail for setup details."
 59severity = "medium"
 60tags = [
 61    "Domain: Cloud",
 62    "Data Source: AWS",
 63    "Data Source: Amazon Web Services",
 64    "Data Source: AWS ECR",
 65    "Use Case: Threat Detection",
 66    "Tactic: Exfiltration",
 67    "Resources: Investigation Guide",
 68]
 69timestamp_override = "event.ingested"
 70type = "esql"
 71
 72query = '''
 73FROM logs-aws.cloudtrail-* METADATA _id, _version, _index
 74| WHERE event.provider == "ecr.amazonaws.com"
 75  AND event.action IN ("SetRepositoryPolicy", "PutRegistryPolicy")
 76  AND event.outcome == "success"
 77  AND (aws.cloudtrail.user_identity.type IS NULL OR aws.cloudtrail.user_identity.type != "AWSService")
 78  AND aws.cloudtrail.request_parameters RLIKE """.*\"Effect\": *\"Allow\".*"""
 79  AND (aws.cloudtrail.request_parameters RLIKE """.*\"Principal\": *\"\*\".*"""
 80       OR aws.cloudtrail.request_parameters RLIKE """.*\"Principal\": *\{ *\"AWS\": *\"\*\".*""")
 81| KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1537"
 89name = "Transfer Data to Cloud Account"
 90reference = "https://attack.mitre.org/techniques/T1537/"
 91
 92
 93[rule.threat.tactic]
 94id = "TA0010"
 95name = "Exfiltration"
 96reference = "https://attack.mitre.org/tactics/TA0010/"
 97
 98[rule.investigation_fields]
 99field_names = [
100    "@timestamp",
101    "user.name",
102    "user_agent.original",
103    "source.ip",
104    "source.as.number",
105    "source.as.organization.name",
106    "aws.cloudtrail.user_identity.arn",
107    "aws.cloudtrail.user_identity.type",
108    "aws.cloudtrail.user_identity.access_key_id",
109    "aws.cloudtrail.resources.arn",
110    "aws.cloudtrail.resources.type",
111    "event.action",
112    "event.outcome",
113    "cloud.account.id",
114    "cloud.region",
115    "aws.cloudtrail.request_parameters",
116    "aws.cloudtrail.response_elements",
117]

Triage and analysis

Investigating AWS ECR Repository or Registry Policy Granted Public Access

This rule detects "SetRepositoryPolicy" or "PutRegistryPolicy" calls where the policy document grants an Allow effect to a wildcard ("*") principal, granting access to all identities. A public ECR repository allows anyone to pull its images, exposing proprietary code and any secrets embedded in image layers; if push actions are granted, an adversary can implant a malicious image that downstream ECS, EKS, or Lambda workloads then run.

Possible investigation steps

  • Identify the actor in "aws.cloudtrail.user_identity.arn" and "aws.cloudtrail.user_identity.type", and review "source.ip" and "user_agent.original" for an unexpected origin or tool.
  • Extract the policy from "aws.cloudtrail.request_parameters" and identify the granted actions; pull actions (BatchGetImage, GetDownloadUrlForLayer) expose images, while push actions (PutImage, UploadLayerPart) enable implantation.
  • Confirm whether a Deny statement restricts the same access, in which case the alert may be a false positive.
  • Determine which repository is affected and whether it contains sensitive images, and correlate with subsequent pull or push activity from external principals.

False positive analysis

  • Public image distribution legitimately uses Principal:"*". Confirm the exposure is intended, the actions are pull-only, and the granting principal is approved.

Response and remediation

  • If the exposure is unauthorized, restore a known-good policy or remove the public statement, and review for any external pulls or pushes since the change.
  • Rotate or restrict credentials for the principal if compromise is suspected, and restrict "ecr:SetRepositoryPolicy" and "ecr:PutRegistryPolicy" to trusted administrators.

References

Related rules

to-top