Salta al contenuto
Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post
Informazioni su re:Post

ECR Cross Account Replication with KMS

0

When setting up AWS ECR cross account replication with KMS, I would expect that the target account (account b) service role "AWSServiceRoleForECRReplication" would need permissions granted to the source KMS CMK (account a) to allow decryption of the images being replicated, however this is not documented as a requirement anywhere in the AWS documentation [1] or [2]

[1] https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html [2] https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html

Can anyone confirm (a) this is required ? and (b) can we use least privilege and use the the target account (account b) 'AWSServiceRoleForECRReplication' service role as a principal or is another role used to decrypt when replicating?

Thanks

Argomenti
ContenitoriSicurezza, identità e conformità
Tag
Servizio di gestione delle chiavi AWSRegistro dei container di Amazon Elastic (ECR)
Lingua
English
posta un anno fa332 visualizzazioni
1 Risposta
0
Risposta accettata

ECR will push a new image to the alternative repository just as if you were performing a docker push or even a pull. You dont need encrypt or decrypt to the Key as its only for data at rest outside of the native docker application.

ESPERTO
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Contenuto pertinente