Hello,
I have a docker container in my ECR. I have adjusted access to this so that a specific root account (X) can use it to instantiate a lambda instance with a specific name. So once X instantiates the lambda, is there any way that he can view the content of my docker container?
This is the access policy in my ECR
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushForLambda",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ExtAccountID1>:root",
"AWS": "arn:aws:iam::<ExtAccountID2>:root"
},
"Action": "ecr:GetImage",
"Condition": {
"StringLike": {
"aws:Referer": [
"arn:aws:lambda:<region>:<ExtAccountID1>:function:ExpectedLambdaFunctionName",
"arn:aws:lambda:<region>:<ExtAccountID2>:function:ExpectedLambdaFunctionName"
]
}
},
"Resource": "arn:aws:ecr:<region>:<MyAccountID>:repository/<repository-name>"
}
]
}
AWS 官方已更新 2 年前
Hi Minh,
Thank you for your response. Noted!
By doing that, will the person with account id 435854034491 be able to download the docker container in my ECR? Is it possible to restrict them to using my docker container only to instantiate lambda functions and nothing more? I want to hide the content of my docker container, but allow them only to utilize the functionality.