AWS ECR Repository or Registry Policy Granted Public Access

Last updated 5 days ago on 2026-06-29
Created 5 days ago on 2026-06-29

About

Detects when an Amazon ECR repository or registry policy is modified to grant public access using a wildcard principal (Principal:"*") statement. This rule analyzes SetRepositoryPolicy and PutRegistryPolicy events whose policy document grants an Allow effect to a wildcard ("*") principal, indicating that pull (and potentially push) permissions were extended to all identities, including unauthenticated users. A public container registry can expose proprietary images and any secrets baked into their layers, and, if push is allowed, enables supply-chain implantation. Public ECR access is sometimes intentional for image distribution, so the granting principal and the permissions should be validated.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS ECRUse Case: Threat DetectionTactic: ExfiltrationLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Exfiltration (TA0010)(external, opens in a new tab or window)

False Positive Examples
Repositories used to distribute public images may legitimately contain Principal:"*". This rule does not by itself determine whether a Deny statement restricts the same access; review the full policy in "aws.cloudtrail.request_parameters" and confirm the granted actions (pull-only versus push) and whether public exposure is intended.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
FROM logs-aws.cloudtrail-* METADATA _id, _version, _index | WHERE event.provider == "ecr.amazonaws.com" AND event.action IN ("SetRepositoryPolicy", "PutRegistryPolicy") AND event.outcome == "success" AND (aws.cloudtrail.user_identity.type IS NULL OR aws.cloudtrail.user_identity.type != "AWSService") AND aws.cloudtrail.request_parameters RLIKE """.*\"Effect\": *\"Allow\".*""" AND (aws.cloudtrail.request_parameters RLIKE """.*\"Principal\": *\"\*\".*""" OR aws.cloudtrail.request_parameters RLIKE """.*\"Principal\": *\{ *\"AWS\": *\"\*\".*""") | KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*

Install detection rules in Elastic Security

Detect AWS ECR Repository or Registry Policy Granted Public Access in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).