terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal
semgrep
Author
unknown
Download Count*
License
Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ecr-repository-wildcard-principal
patterns:
- pattern-inside: |
resource "aws_ecr_repository_policy" $ANYTHING {
...
}
- pattern-either:
- patterns:
- pattern: policy = "$JSONPOLICY"
- metavariable-pattern:
metavariable: $JSONPOLICY
language: json
patterns:
- pattern-not-inside: |
{..., "Effect": "Deny", ...}
- pattern-either:
- pattern: |
{..., "Principal": "*", ...}
- pattern: |
{..., "Principal": [..., "*", ...], ...}
- pattern: |
{..., "Principal": { "AWS": "*" }, ...}
- pattern: |
{..., "Principal": { "AWS": [..., "*", ...] }, ...}
- patterns:
- pattern-inside: policy = jsonencode(...)
- pattern-not-inside: |
{..., Effect = "Deny", ...}
- pattern-either:
- pattern: |
{..., Principal = "*", ...}
- pattern: |
{..., Principal = [..., "*", ...], ...}
- pattern: |
{..., Principal = { AWS = "*" }, ...}
- pattern: |
{..., Principal = { AWS = [..., "*", ...] }, ...}
message: Detected wildcard access granted in your ECR repository policy
principal. This grants access to all users, including anonymous users
(public access). Instead, limit principals, actions and resources to what
you need according to least privilege.
metadata:
category: security
technology:
- aws
- terraform
owasp:
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
references:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy
- https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html
- https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html
- https://cwe.mitre.org/data/definitions/732.html
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: WARNING
Examples
aws-ecr-repository-wildcard-principal.tf
resource "aws_ecr_repository_policy" "fail_1_json" {
repository = aws_ecr_repository.example.name
# ruleid: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "ecr:*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "fail_1_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17",
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::111122223333:root"
}
Action = "ecr:*"
},
# ruleid: aws-ecr-repository-wildcard-principal
{
Effect = "Allow"
Principal = {
AWS = "*"
}
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
})
}
resource "aws_ecr_repository_policy" "fail_2_json" {
repository = aws_ecr_repository.example.name
# ruleid: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": ["foo","*"],
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "fail_2_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
# ruleid: aws-ecr-repository-wildcard-principal
{
Effect = "Allow"
Principal = ["foo", "*"]
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
)
}
resource "aws_ecr_repository_policy" "fail_3_json" {
repository = aws_ecr_repository.example.name
# ruleid: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "fail_3_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
# ruleid: aws-ecr-repository-wildcard-principal
{
Effect = "Allow"
Principal = "*"
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
})
}
resource "aws_ecr_repository_policy" "fail_4_json" {
repository = aws_ecr_repository.example.name
# ruleid: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"*"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "fail_4_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::111122223333:root"
}
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
},
# ruleid: aws-ecr-repository-wildcard-principal
{
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::111122223333:root",
"*"
]
}
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
})
}
resource "aws_ecr_repository_policy" "pass_1_json" {
repository = aws_ecr_repository.example.name
# ok: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "pass_1_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
# ok: aws-ecr-repository-wildcard-principal
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::111122223333:root"
}
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
)
}
resource "aws_ecr_repository_policy" "pass_2_json" {
repository = aws_ecr_repository.example.name
# ok: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "pass_2_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
# ok: aws-ecr-repository-wildcard-principal
{
Effect = "Deny"
Principal = {
AWS = "*"
}
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
})
}
resource "aws_ecr_repository_policy" "pass_3_json" {
repository = aws_ecr_repository.example.name
# ok: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "foo",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "pass_3_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
# ok: aws-ecr-repository-wildcard-principal
{
Effect = "Allow"
Principal = "foo"
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
)
}
resource "aws_ecr_repository_policy" "pass_4_json" {
repository = aws_ecr_repository.example.name
# ok: aws-ecr-repository-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": ["foo","bar"],
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}
POLICY
}
resource "aws_ecr_repository_policy" "pass_4_hcl" {
repository = aws_ecr_repository.example.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
# ok: aws-ecr-repository-wildcard-principal
{
Effect = "Allow"
Principal = ["foo", "bar"]
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
})
}
Short Link: https://sg.run/nzqb