Amazon Elastic Container Registry (ECR) is a managed container registry service that simplifies the storage, management, and deployment of Docker container images. However, allowing any user or role to perform any action on an ECR repository without restrictions is a significant security risk. When the policy's 'Effect' is set to 'allow' and 'Action' is set to '*', it grants unrestricted access to valuable data and applications, increasing the risk of unauthorized access, data breaches, and malicious activity. This can have severe consequences on the infrastructure, such as data loss and service disruptions Therefore, it's critical to define proper 'Action' parameters in ECR repository policies to establish robust access controls that ensure the security of container images.
In AWS Console -
In Terraform -
References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy