Information disclosure due to unencrypted images in Amazon ECR repositories

Medium Risk information-disclosure
awsecrcontainer-registryencryptionkmsdata-protectioncompliance

What it is

Amazon Elastic Container Registry (ECR) repositories without KMS encryption at rest expose container images and metadata to potential unauthorized access. When ECR repositories are not configured with customer-managed KMS keys, they rely on AWS-managed encryption which provides less control over access auditing, key rotation, and fine-grained permissions for container image data.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Amazon ECR repositories created without encryption_configuration blocks in Terraform or EncryptionConfiguration in CloudFormation. These repositories default to AWS-managed encryption which provides less control over access auditing and key management.

Root causes

Missing Encryption Configuration

Amazon ECR repositories created without encryption_configuration blocks in Terraform or EncryptionConfiguration in CloudFormation. These repositories default to AWS-managed encryption which provides less control over access auditing and key management.

AWS-Managed Encryption Default

Repositories rely on default AWS-managed encryption instead of customer-managed KMS keys. AWS-managed keys don't provide the same level of access control, audit logging, or key rotation policies as customer-managed keys.

Missing KMS Key Policies

Organizations don't define explicit KMS key policies for ECR repository encryption, leading to potential unauthorized access. Without key policies, access control relies solely on IAM permissions which may be overly broad.

Incomplete Container Security Standards

Container security policies don't mandate customer-managed KMS encryption for container registries. Encryption requirements focus on application-level security while overlooking infrastructure encryption controls.

Legacy Repository Configurations

Existing ECR repositories created before encryption features were available remain unencrypted or use AWS-managed encryption. Organizations haven't migrated legacy repositories to customer-managed KMS encryption.

Fixes

1

Enable Customer-Managed KMS Encryption

Add encryption_configuration block to aws_ecr_repository resources with encryption_type = 'KMS' and kms_key pointing to a customer-managed KMS key ARN. This provides fine-grained access control, comprehensive audit trails via CloudTrail, and the ability to enforce encryption policies at the key level.

2

Configure Explicit KMS Key Policies

Create KMS key policies that explicitly grant encryption and decryption permissions only to authorized principals like CI/CD roles and application roles. Include the ECR service principal (ecr.amazonaws.com) and implement least-privilege access to ensure only authorized entities can push or pull encrypted container images.

3

Implement Repository Lifecycle Policies

Configure ECR lifecycle policies (aws_ecr_lifecycle_policy) to automatically expire old images, untagged images, and retain only the required number of production images. This reduces storage costs while maintaining security for active encrypted container images.

4

Enable Continuous Image Scanning

Set image_scanning_configuration with scan_on_push = true to enable automatic vulnerability scanning for all pushed images. Configure AWS Security Hub or EventBridge rules to alert on critical vulnerabilities discovered in encrypted repository images, maintaining security posture alongside encryption protection.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure due to unencrypted images in amazon ecr repositories and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities