detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard

Published 20 hours ago verified publisher icon elastic

[New Rule] AWS Elastic Container Registry Policy Modification

Open bm11100 opened this issue 4 years ago • 1 comments

Description

Detects modifications to an AWS ECR policy. Ensure that ECR repositories are only shared with trusted accounts, and that the trusted accounts truly need access. Restrict access to IAM permissions that could lead to exposure of your ECR repositories.

Required Info

Target indexes

filebeat-* logs-aws*

Platforms

aws

Tested ECS Version

tbd

Optional Info

Query

event.dataset:aws.cloudtrail and event.provider:ecr.amazonaws.com and (event.action:SetRepositoryPolicy or DeleteRepositoryPolicy or PutRegistryPolicy or DeleteRegistryPolicy) and event.outcome:success

References

https://endgame.readthedocs.io/en/latest/risks/ecr/

Example Data

image

bm11100 avatar Mar 02 '21 19:03 bm11100

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Aug 25 '21 11:08 botelastic[bot]