k9 Security now analyzes principals’ access to the Amazon Elastic Container Registry (ECR) APIs. k9 reports whether IAM principals may administer, read, write, and delete ECR image registries and repositories. Amazon ECR is a fully managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.

Wondering which IAM principals can administer or use ECR APIs and resources? k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use ECR APIs, then maps each principal’s access to a k9 access capability.

Here’s an example of how ECR access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

This excerpt shows the ci IAM user has full access to ECR APIs. It is allowed to administer-resource, read-config, read-data, write-data, and delete-data. The k9-auditor role has the read-configcapability for the ECR APIs, as granted by the SecurityAudit AWS Managed Policy.

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The Amazon ECR currently has 43 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how ECR compares to other AWS data, compute, and security APIs (1872 permissions in total):

Amazon ECR gives you a way to manage and deliver Docker images to your containerized applications in AWS. Manage risk to your application image dependencies stored in ECR by continuously reviewing and adjusting access to ECR APIs.

We hope k9’s new ECR analysis capabilities help you identify which IAM users and roles can administer container image registries and repositories in your AWS accounts. We are happy to answer any questions!