gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-14 05:46:25 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
View File

@@ -6,49 +6,48 @@
### ECR
#### Basic Information
#### Basiese Inligting
Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
Amazon **Elastic Container Registry** (Amazon ECR) is 'n **bestuurde houerbeeld registrasiediens**. Dit is ontwerp om 'n omgewing te bied waar kliënte met hul houerbeelde kan interaksie hê deur middel van bekende koppelvlakke. Spesifiek word die gebruik van die Docker CLI of enige verkiesde kliënt ondersteun, wat aktiwiteite soos die stoot, trek en bestuur van houerbeelde moontlik maak.
ECR is compose by 2 types of objects: **Registries** and **Repositories**.
ECR bestaan uit 2 tipes voorwerpe: **Registrasies** en **Bergings**.
**Registries**
**Registrasies**
Every AWS account has 2 registries: **Private** & **Public**.
Elke AWS-rekening het 2 registrasies: **Privaat** & **Publiek**.
1. **Private Registries**:
1. **Privaat Registrasies**:
- **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission.
- The URI of a **private repository** follows the format `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
- **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles.
- **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS...
- **Other private registry options**:
- The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images.
- The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions.
- The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**.
- Specific **IAM policies** can be configured to grant different **permissions**.
- The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo.
- **Privaat per standaard**: Die houerbeelde wat in 'n Amazon ECR privaat registrasie gestoor word, is **slegs toeganklik vir gemagtigde gebruikers** binne jou AWS-rekening of vir diegene aan wie toestemming gegee is.
- Die URI van 'n **privaat berging** volg die formaat `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
- **Toegangsbeheer**: Jy kan **toegang beheer** tot jou privaat houerbeelde deur middel van **IAM-beleide**, en jy kan fyn-granige toestemmings op grond van gebruikers of rolle konfigureer.
- **Integrasie met AWS-dienste**: Amazon ECR privaat registrasies kan maklik **geïntegreer word met ander AWS-dienste**, soos EKS, ECS...
- **Ander privaat registrasie opsies**:
- Die Tag onveranderlikheid kolom lys sy status, as tag onveranderlikheid geaktiveer is, sal dit **verhoed** dat beeld **stoot** met **bestaande tags** die beelde oorskryf.
- Die **Enkripsietipe** kolom lys die enkripsie eienskappe van die berging, dit wys die standaard enkripsietipes soos AES-256, of het **KMS** geaktiveerde enkripsies.
- Die **Trek deur kas** kolom lys sy status, as Trek deur kas status Aktief is, sal dit **bergings in 'n eksterne publieke berging in jou privaat berging** kas.
- Spesifieke **IAM-beleide** kan geconfigureer word om verskillende **toestemmings** toe te ken.
- Die **skandeer konfigurasie** laat toe om vir kwesbaarhede in die beelde wat binne die berging gestoor is, te skandeer.
2. **Public Registries**:
2. **Publieke Registrasies**:
- **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.**
- The URI of a **public repository** is like `public.ecr.aws/<random>/<name>`. Although the `<random>` part can be changed by the admin to another string easier to remember.
- **Publieke toeganklikheid**: Houerbeelde wat in 'n ECR Publieke registrasie gestoor word, is **toeganklik vir enigiemand op die internet sonder verifikasie.**
- Die URI van 'n **publieke berging** is soos `public.ecr.aws/<random>/<name>`. Alhoewel die `<random>` deel deur die admin na 'n ander string wat makliker om te onthou is, verander kan word.
**Repositories**
**Bergings**
These are the **images** that in the **private registry** or to the **public** one.
Dit is die **beelde** wat in die **privaat registrasie** of in die **publieke** een is.
> [!NOTE]
> Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**.
> Let daarop dat om 'n beeld na 'n berging op te laai, die **ECR berging dieselfde naam as die beeld moet hê**.
#### Registry & Repository Policies
#### Registrasie & Berging Beleide
**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
**Registrasies & bergings** het ook **beleide wat gebruik kan word om toestemmings aan ander beginsels/rekeninge toe te ken**. Byvoorbeeld, in die volgende berging beleid beeld kan jy sien hoe enige gebruiker van die hele organisasie toegang tot die beeld sal hê:
<figure><img src="../../../images/image (280).png" alt=""><figcaption></figcaption></figure>
#### Enumeration
#### Enumerasie
```bash
# Get repos
aws ecr describe-repositories
@@ -68,39 +67,34 @@ aws ecr-public describe-repositories
aws ecr get-registry-policy
aws ecr get-repository-policy --repository-name <repo_name>
```
#### Unauthenticated Enum
#### Ongeauthentiseerde Enum
{{#ref}}
../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
{{#endref}}
#### Privesc
#### Privilege Verhoging
In the following page you can check how to **abuse ECR permissions to escalate privileges**:
In die volgende bladsy kan jy kyk hoe om **ECR-toestemmings te misbruik om voorregte te verhoog**:
{{#ref}}
../aws-privilege-escalation/aws-ecr-privesc.md
{{#endref}}
#### Post Exploitation
#### Post Exploitatie
{{#ref}}
../aws-post-exploitation/aws-ecr-post-exploitation.md
{{#endref}}
#### Persistence
#### Volharding
{{#ref}}
../aws-persistence/aws-ecr-persistence.md
{{#endref}}
## References
## Verwysings
- [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html)
{{#include ../../../banners/hacktricks-training.md}}