Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

ECR Cross Account Replication with KMS

0

When setting up AWS ECR cross account replication with KMS, I would expect that the target account (account b) service role "AWSServiceRoleForECRReplication" would need permissions granted to the source KMS CMK (account a) to allow decryption of the images being replicated, however this is not documented as a requirement anywhere in the AWS documentation [1] or [2]

[1] https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html [2] https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html

Can anyone confirm (a) this is required ? and (b) can we use least privilege and use the the target account (account b) 'AWSServiceRoleForECRReplication' service role as a principal or is another role used to decrypt when replicating?

Thanks

Sujets
ConteneursSécurité, identité et conformité
Balises
Service de gestion de clés AWSAmazon Elastic Container Registry (ECR)
Langue
English
demandé il y a un an323 vues
1 réponse
0
Réponse acceptée

ECR will push a new image to the alternative repository just as if you were performing a docker push or even a pull. You dont need encrypt or decrypt to the Key as its only for data at rest outside of the native docker application.

EXPERT
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents