By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Most restrictive Document Policy for an S3 Gateway Endpoint to pull docker image in ECR from ECS

0

I am deploying an ECS Fargate cluster with a service in private subnets. To enable tasks to pull the Docker image from ECR, I have created three Endpoints (dkr, ecr API, and S3) in my VPC.

Focusing on the S3 endpoint, I would like to associate the most restrictive policy possible so that only tasks can use this endpoint and only access the specific S3 bucket where ECR stores the images.

In the official AWS documentation, they propose the following policy:

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"]
    }
  ]
}

This policy is okay, but it only restricts access to the bucket through the endpoint. I would like a policy that specifically allows only ECS to access it and not other resources that may be in the same private subnets with access to the endpoint. I have tried this policy:

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only-from-ecs-task",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"]
    }
  ]
}

But it doesn't work, task can't pull the image and I don't know why.

Can you help me out?

Topics
StorageServerlessContainersSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS FargateAmazon Elastic Container Registry (ECR)Amazon Elastic Container ServiceIAM Policies
Language
English
profile picture
jaimeelso
asked 25 days ago182 views
2 Answers
0

Usually you associate an IAM role to the service, have you tried that as the principal?

profile picture
EXPERT
Gary Mclean
answered 25 days ago
0

have you tried using a condition as follows? replacing Role name with the ECS Task Role?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-IAM-role",
      "Effect": "Allow",
      "Principal": "*",
        "Action": [
        "s3:GetObject"
      ],
      "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"],
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
        }
      }
    }
  ]
}
profile picture
EXPERT
Gary Mclean
answered 25 days ago
  • jaimeelso
    25 days ago

    I just tried to modify it as you suggested, and it doesn't work, neither by setting the ExecutionRoleArn of the service nor with the TaskRoleArn of the task.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content