ECR/ECS Misconfigurations
Description
Public or weakly protected container registries and task roles enable image theft and privilege abuse. ECS tasks with shared roles, privileged containers, or wildcards in task/execution role permissions widen blast radius. Unscanned images and mutable tags increase supply‑chain risk.
Examples
Check ECR Policies and Scanning
aws ecr describe-repositories
aws ecr get-repository-policy --repository-name <repo>
aws ecr describe-image-scan-findings --repository-name <repo> --image-id imageTag=latest
aws ecr describe-repository-scanning-configuration --repository-name <repo>
aws ecr get-lifecycle-policy --repository-name <repo>
Review ECS Task Roles
aws ecs describe-task-definition --task-definition <td>
Look for over‑broad IAM roles attached to tasks, privileged: true, and plaintext secrets in environment rather than secrets.
Remediation
- Keep repos private; enable scan on push; restrict pull/push with least privilege.
- Use per‑service task roles; avoid sharing admin‑level roles; scope permissions tightly. Prefer secret injection via Secrets Manager or SSM.
- Enable tag immutability and image signing (e.g., Notation/Sigstore) and enforce verification in deploy pipelines.
- Harden runtime
- Drop unnecessary Linux capabilities; avoid
privileged; restrict network egress; run tasks in private subnets with security groups.
- Drop unnecessary Linux capabilities; avoid