gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-29 14:13:20 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5ef56bb6b38468e009a1ce34747dd626ea22acb7
hacktricks-cloud/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

132 lines
7.0 KiB
Markdown
Raw Blame History

# AWS - ECR Enum
## AWS - ECR Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
### ECR
#### Basic Information
Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
ECR is compose by 2 types of objects: **Registries** and **Repositories**.
**Registries**
Every AWS account has 2 registries: **Private** & **Public**.
1. **Private Registries**:
* **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission.
* The URI of a **private repository** follows the format `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
* **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles.
* **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS...
* **Other private registry options**:
* The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images.
* The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions.
* The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**.
* Specific **IAM policies** can be configured to grant different **permissions**.
* The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo.
2. **Public Registries**:
* **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.**
* The URI of a **public repository** is like `public.ecr.aws/<random>/<name>`. Although the `<random>` part can be changed by the admin to another string easier to remember.
**Repositories**
These are the **images** that in the **private registry** or to the **public** one.
{% hint style="info" %}
Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**.
{% endhint %}
#### Registry & Repository Policies
**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
<figure><img src="../../../.gitbook/assets/image (280).png" alt=""><figcaption></figcaption></figure>
#### Enumeration
{% code overflow="wrap" %}
```bash
# Get repos
aws ecr describe-repositories
aws ecr describe-registry
# Get image metadata
aws ecr list-images --repository-name <repo_name>
aws ecr describe-images --repository-name <repo_name>
aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>
# Get public repositories
aws ecr-public describe-repositories
# Get policies
aws ecr get-registry-policy
aws ecr get-repository-policy --repository-name <repo_name>
```
{% endcode %}
#### Unauthenticated Enum
{% content-ref url="../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md" %}
[aws-ecr-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md)
{% endcontent-ref %}
#### Privesc
In the following page you can check how to **abuse ECR permissions to escalate privileges**:
{% content-ref url="../aws-privilege-escalation/aws-ecr-privesc.md" %}
[aws-ecr-privesc.md](../aws-privilege-escalation/aws-ecr-privesc.md)
{% endcontent-ref %}
#### Post Exploitation
{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %}
[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md)
{% endcontent-ref %}
#### Persistence
{% content-ref url="../aws-persistence/aws-ecr-persistence.md" %}
[aws-ecr-persistence.md](../aws-persistence/aws-ecr-persistence.md)
{% endcontent-ref %}
## References
* [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink