ECS Task defintion

Hi,

I think that if you grant your ECS task access to the only ECR repo(s) that you want, you're good.

Look at section "Accessing One Amazon ECR Repository" of https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_id-based-policy-examples.html for an example:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"ListImagesInRepository",
         "Effect":"Allow",
         "Action":[
            "ecr:ListImages"
         ],
         "Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
      },
      {
         "Sid":"GetAuthorizationToken",
         "Effect":"Allow",
         "Action":[
            "ecr:GetAuthorizationToken"
         ],
         "Resource":"*"
      },
      {
         "Sid":"ManageRepositoryContents",
         "Effect":"Allow",
         "Action":[
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
         ],
         "Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
      }
   ]
}

Best,

Didier

Hello.

Looking at the ECS IAM policy list, I think it is difficult to restrict repositories using task definitions.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html

So, how about configuring CI/CD so that ECS is updated when Git Push is performed?
If you set the IAM policy so that each IAM user cannot directly update the ECS task definition, you will be less worried about the task definition repository settings being changed.