mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-31 07:00:38 -08:00
Migrate to using mdbook
This commit is contained in:
Congon4tor
102
src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
Normal file
102
src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
Normal file
@@ -0,0 +1,102 @@
|
||||
# AWS - ECR Enum
|
||||
|
||||
## AWS - ECR Enum
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
### ECR
|
||||
|
||||
#### Basic Information
|
||||
|
||||
Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
|
||||
|
||||
ECR is compose by 2 types of objects: **Registries** and **Repositories**.
|
||||
|
||||
**Registries**
|
||||
|
||||
Every AWS account has 2 registries: **Private** & **Public**.
|
||||
|
||||
1. **Private Registries**:
|
||||
|
||||
- **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission.
|
||||
- The URI of a **private repository** follows the format `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
|
||||
- **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles.
|
||||
- **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS...
|
||||
- **Other private registry options**:
|
||||
- The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images.
|
||||
- The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions.
|
||||
- The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**.
|
||||
- Specific **IAM policies** can be configured to grant different **permissions**.
|
||||
- The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo.
|
||||
|
||||
2. **Public Registries**:
|
||||
|
||||
- **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.**
|
||||
- The URI of a **public repository** is like `public.ecr.aws/<random>/<name>`. Although the `<random>` part can be changed by the admin to another string easier to remember.
|
||||
|
||||
**Repositories**
|
||||
|
||||
These are the **images** that in the **private registry** or to the **public** one.
|
||||
|
||||
> [!NOTE]
|
||||
> Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**.
|
||||
|
||||
#### Registry & Repository Policies
|
||||
|
||||
**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
|
||||
|
||||
<figure><img src="../../../images/image (280).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
#### Enumeration
|
||||
|
||||
```bash
|
||||
# Get repos
|
||||
aws ecr describe-repositories
|
||||
aws ecr describe-registry
|
||||
|
||||
# Get image metadata
|
||||
aws ecr list-images --repository-name <repo_name>
|
||||
aws ecr describe-images --repository-name <repo_name>
|
||||
aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
|
||||
aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
|
||||
aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>
|
||||
|
||||
# Get public repositories
|
||||
aws ecr-public describe-repositories
|
||||
|
||||
# Get policies
|
||||
aws ecr get-registry-policy
|
||||
aws ecr get-repository-policy --repository-name <repo_name>
|
||||
```
|
||||
|
||||
#### Unauthenticated Enum
|
||||
|
||||
{{#ref}}
|
||||
../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
|
||||
{{#endref}}
|
||||
|
||||
#### Privesc
|
||||
|
||||
In the following page you can check how to **abuse ECR permissions to escalate privileges**:
|
||||
|
||||
{{#ref}}
|
||||
../aws-privilege-escalation/aws-ecr-privesc.md
|
||||
{{#endref}}
|
||||
|
||||
#### Post Exploitation
|
||||
|
||||
{{#ref}}
|
||||
../aws-post-exploitation/aws-ecr-post-exploitation.md
|
||||
{{#endref}}
|
||||
|
||||
#### Persistence
|
||||
|
||||
{{#ref}}
|
||||
../aws-persistence/aws-ecr-persistence.md
|
||||
{{#endref}}
|
||||
|
||||
## References
|
||||
|
||||
- [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
Reference in New Issue
Block a user