Quick Start Security for Amazon ECR Audit
Thank you!
We got your information.
Coralogix Extension For Amazon ECR Audit Includes:
Alerts - 9
Stay on top of Amazon ECR Audit key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Repository Created
This alert triggers when a repository is created and the newly created repository doesn't have the latest TLS encryption version enabled which is version 1.3. Creating an ECR repository with the latest TLS encryption version is crucial for protecting your data, mitigating security vulnerabilities, and complying with industry requirements. Please see the below link for more details on the AWS ECR repositories: https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html Impact A threat actor can create a public repository with malicious code by abusing undocumented internal ECR Public API actions. Mitigation Check if the user is aware of this action and if it is legitimate. If not, investigate further and look for any suspicious activities. MITRE Tactic: TA0003 MITRE Technique: T1525
Repository Policy Applied
This alert triggers when a repository policy is applied to a specified repository to control access permissions. Please see the below link for more information on AWS ECR repository policies: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html Impact AWS Elastic Container Registry (ECR) private repositories use resource-based policies to delineate which entities are permitted to push and pull containers. As a result, it is possible for these policies to be misconfigured and potentially abused. Mitigation Check if the user is aware of this action and if it is legitimate. If not, revert the action and check for any suspicious activities. MITRE Tactic: TA0004 MITRE Technique: T1484
Excessive ECR Image Pushed
This alert triggers when multiple ECR images are pushed and all the new image layers have been uploaded within a specific interval of time. Please see the below link for more details: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_PutImage.html Impact A threat actor can push a malicious ECR image which would appear as verified Registries to infect a lot of machines in one go. This might eventually affect business operations on a large scale. Mitigation Check if the user is aware of this action and if it is legitimate. If not, investigate further and look for any suspicious activities. This alert can be fine-tuned for specific repositories or users performing these actions. MITRE Tactic: TA0005 MITRE Technique: T1578
Image Vulnerability Scan Disabled
This alert triggers when a user disables the image scanning configuration for the specified repository. Please see the below link for more details on the AWS ECR image scanning: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_PutImageScanningConfiguration.html Impact A threat actor can disable the vulnerability scan for an image to prevent malicious images from being scanned and run them under the radar. Mitigation Check if the user is aware of this action and if it is legitimate. If not, revert the action, investigate further, and look for any suspicious activities. MITRE Tactic: TA0005 MITRE Technique: T1578
Images Within a Repository Deleted
This alert triggers when a list of specified images within a repository is deleted. Images are specified with either an imageTag or imageDigest. Please see the below link for more details: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_BatchDeleteImage.html Impact A threat actor can delete repository images to disrupt normal business operations. Mitigation Check if the user is aware of this action and if it is legitimate. If not, investigate further and look for any suspicious activities. MITRE Tactic: TA0040 MITRE Technique: T1485
Excessive ECR Images Pulled
This alert triggers when multiple ECR images are pulled within a specific interval of time. This operation will get detailed information for an image. Images are specified with either an imageTag or imageDigest. Please see the below link for more details: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_BatchGetImage.html Impact A threat actor can update or create an image with malicious code. This malicious code is executed on any machine that pulls and runs the image, whether on the user's local machines, Kubernetes clusters, or cloud environment. This allows the actor to infect popular images such as CloudWatch agent, EKS Distro, Amazon Linux, and Nginx. Also, a high number of images being pulled by a single user could indicate suspicious activity. Mitigation Check if the user is aware of this action and if this activity is legitimate. If not, investigate further and look for any suspicious activities. This alert can be fine-tuned for specific repositories or users performing these actions. MITRE Tactic: TA0009 MITRE Technique: T1530
Forced Repository Deleted
This alert triggers when a repository is deleted that has images present in it. If the repository contains images, you must either delete all images in the repository or use the force option to delete the repository. Please see the below link for more details: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DeleteRepository.html Impact A threat actor can delete a public or a private repository to disrupt normal business operations. Mitigation Check if the user is aware of this action and if it is legitimate. If not, investigate further and look for any suspicious activities. MITRE Tactic: TA0005 MITRE Technique: T1578
Image tag overwrite enabled
This alert triggers when image tagging is changed from immutable to mutable, which disables image overwrite protection. Please see the below link for more details on image tag mutability: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html Impact A threat actor can override the immutability tag of a repository to mutable. This enables them to disable the overwrite protection on an image and then they can temper with the existing data. Mitigation Check if the user is aware of this action and if it is legitimate. If not, reverse the action and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1578
Life-Cycle Policy Added
This alert triggers when a life-cycle policy is added to a repository which may override the existing policies. Please see the below link for more information on AWS ECR life-cycle policies: https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html Impact Threat actors can override the existing policies by placing some malicious policies as high-priority ones to elevate their privileges. Mitigation Check if the policy added is a high-priority policy that may override the existing policies and is evaluated first. In such cases, check if the policy added is known to the user and is a legitimate action. If not, revert the action to a known good state and investigate further for any malicious activities. MITRE Tactic: TA0004 MITRE Technique: T1484
Integration
Learn more about Coralogix's out-of-the-box integration with Amazon ECR Audit in our documentation.