Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ECR Cross Account Replication with KMS

0

When setting up AWS ECR cross account replication with KMS, I would expect that the target account (account b) service role "AWSServiceRoleForECRReplication" would need permissions granted to the source KMS CMK (account a) to allow decryption of the images being replicated, however this is not documented as a requirement anywhere in the AWS documentation [1] or [2]

[1] https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html [2] https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html

Can anyone confirm (a) this is required ? and (b) can we use least privilege and use the the target account (account b) 'AWSServiceRoleForECRReplication' service role as a principal or is another role used to decrypt when replicating?

Thanks

Topics
ContainersSecurity, Identity, & Compliance
Tags
AWS Key Management ServiceAmazon Elastic Container Registry (ECR)
Language
English
asked a year ago301 views
1 Answer
0
Accepted Answer

ECR will push a new image to the alternative repository just as if you were performing a docker push or even a pull. You dont need encrypt or decrypt to the Key as its only for data at rest outside of the native docker application.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content