# AWS - ECR Enum

## AWS - ECR Enum

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### ECR

#### Basic Information

Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.

ECR is compose by 2 types of objects: **Registries** and **Repositories**.

**Registries**

Every AWS account has 2 registries: **Private** & **Public**.

1. **Private Registries**:

* **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission.
  * The URI of a **private repository** follows the format `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
* **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles.
* **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS...
* **Other private registry options**:
  * The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images.
  * The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions.
  * The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**.
  * Specific **IAM policies** can be configured to grant different **permissions**.
  * The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo.

2. **Public Registries**:

* **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.**
  * The URI of a **public repository** is like `public.ecr.aws/<random>/<name>`. Although the `<random>` part can be changed by the admin to another string easier to remember.

**Repositories**

These are the **images** that in the **private registry** or to the **public** one.

{% hint style="info" %}
Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**.
{% endhint %}

#### Registry & Repository Policies

**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:

<figure><img src="../../../.gitbook/assets/image (280).png" alt=""><figcaption></figcaption></figure>

#### Enumeration

{% code overflow="wrap" %}
```bash
# Get repos
aws ecr describe-repositories
aws ecr describe-registry

# Get image metadata
aws ecr list-images --repository-name <repo_name>
aws ecr describe-images --repository-name <repo_name>
aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>

# Get public repositories
aws ecr-public describe-repositories

# Get policies
aws ecr get-registry-policy
aws ecr get-repository-policy --repository-name <repo_name>
```
{% endcode %}

#### Unauthenticated Enum

{% content-ref url="../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md" %}
[aws-ecr-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md)
{% endcontent-ref %}

#### Privesc

In the following page you can check how to **abuse ECR permissions to escalate privileges**:

{% content-ref url="../aws-privilege-escalation/aws-ecr-privesc.md" %}
[aws-ecr-privesc.md](../aws-privilege-escalation/aws-ecr-privesc.md)
{% endcontent-ref %}

#### Post Exploitation

{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %}
[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md)
{% endcontent-ref %}

#### Persistence

{% content-ref url="../aws-persistence/aws-ecr-persistence.md" %}
[aws-ecr-persistence.md](../aws-persistence/aws-ecr-persistence.md)
{% endcontent-ref %}

## References

* [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}