Defender Track
Objective 5: Identify the public resource
Looking at earlier events from the CloudTrail logs, we'll see level1 calling ListImages, BatchGetImage, and GetDownloadUrlForLayer. Again, this is a compromised session credential, but we also want to see what happened here.
We can see the ListImages call event contains
"requestParameters": {
"repositoryName": "level2",
"registryId": "653711331788"
}
We can check the policy by running:
aws --profile target_security ecr get-repository-policy --repository-name level2Response:
{
"policyText": "{\n \"Version\" : \"2008-10-17\",\n \"Statement\" : [ {\n \"Sid\" : \"AccessControl\",\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : [ \"ecr:GetDownloadUrlForLayer\", \"ecr:BatchGetImage\", \"ecr:BatchCheckLayerAvailability\", \"ecr:ListImages\", \"ecr:DescribeImages\" ]\n } ]\n}",
"repositoryName": "level2",
"registryId": "653711331788"
}
You can clean that up by passing it through jq with jq '.policyText|fromjson' which results in:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AccessControl",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:ListImages",
"ecr:DescribeImages"
]
}
]
}
You can see the Principal is "*" which means these actions are public to the world to perform, which means this ECR is public. Ideally, you'd use a tool like CloudMapper to scan an account for public resources like this before you trace back an attack.