- Newest
- Most votes
- Most comments
Hi,
I think that if you grant your ECS task access to the only ECR repo(s) that you want, you're good.
Look at section "Accessing One Amazon ECR Repository" of https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_id-based-policy-examples.html for an example:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ListImagesInRepository",
"Effect":"Allow",
"Action":[
"ecr:ListImages"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
},
{
"Sid":"GetAuthorizationToken",
"Effect":"Allow",
"Action":[
"ecr:GetAuthorizationToken"
],
"Resource":"*"
},
{
"Sid":"ManageRepositoryContents",
"Effect":"Allow",
"Action":[
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
}
]
}
Best,
Didier
Hello.
Looking at the ECS IAM policy list, I think it is difficult to restrict repositories using task definitions.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html
So, how about configuring CI/CD so that ECS is updated when Git Push is performed?
If you set the IAM policy so that each IAM user cannot directly update the ECS task definition, you will be less worried about the task definition repository settings being changed.
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago