AWS Amazon ECR Repository Policy

This page shows how to write Terraform and CloudFormation for Amazon ECR Repository Policy and write them securely.

aws_ecr_repository_policy (Terraform)

The Repository Policy in Amazon ECR can be configured in Terraform with the resource name aws_ecr_repository_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

_ecr.tf#L26
resource "aws_ecr_repository_policy" "ecr1" {
  repository = aws_ecr_repository.ecr1.name
  policy     = data.aws_iam_policy_document.access_policy.json
}
resource "aws_ecr_repository" "ecr3" {
  name = "ecr3"
main.tf#L28
resource "aws_ecr_repository_policy" "formio-enterprise" {
  repository = aws_ecr_repository.formio-enterprise.name

  policy = var.ecr_policy
}

wildcard_principal.tf#L9
resource "aws_ecr_repository_policy" "ecr_allow_no_wildcard" {
  repository = "ecr-repo"

  policy = <<EOF
{
    "Version": "2008-10-17",
iam.tf#L112
resource "aws_ecr_repository_policy" "registry-policy-carts" {
  repository = aws_ecr_repository.repository_carts.name
  policy = <<EOF
  {
    "Version": "2008-10-17",
    "Statement": [
repositories.tf#L5
resource "aws_ecr_repository_policy" "repo_apiserver" {
  repository = aws_ecr_repository.repo_apiserver.name
  policy     = data.aws_iam_policy_document.repo_permission_policy.json
}

resource "aws_ecr_lifecycle_policy" "repo_apiserver" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an Elastic Container Registry Repository Policy. Note that currently only one policy may be applied to a repository.

Tips: Best Practices for The Other AWS Amazon ECR Resources

In addition to the aws_ecr_repository, AWS Amazon ECR has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_ecr_repository

Ensure to enable ECR image scan

It is better to enbale ECR image scan. AWS ECR provides a feature to scan container images and discover vulnerable software.

Review your AWS Amazon ECR settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::ECR::Repository (CloudFormation)

The Repository in ECR can be configured in CloudFormation with the resource name AWS::ECR::Repository. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

repositary.yml#L8
    Type: "AWS::ECR::Repository"
    Properties:
      RepositoryName: !Join ['', [!Ref 'Environment', "/", "park/builder"]]
  parkIdmDependencies:
    Type: "AWS::ECR::Repository"
    Properties:
matchvote.yml#L8
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: almanack
  Migrant:
    Type: AWS::ECR::Repository
    Properties:
ecr.yml#L5
    Type: AWS::ECR::Repository
    Properties:
      LifecyclePolicy:
        LifecyclePolicyText: |
          {
            "rules": [{
dev.ecr.yml#L5
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: pm-av-webui-app
  PropertyEcr:
    Type: AWS::ECR::Repository
    Properties:
ecr.yml#L4
    Type: 'AWS::ECR::Repository'
    Properties:
      RepositoryName: location-service
  DEMANDSERVICE:
    Type: 'AWS::ECR::Repository'
    Properties:
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {

Parameters

Explanation in CloudFormation Registry

The AWS::ECR::Repository resource specifies an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see Amazon ECR private repositories in the Amazon ECR User Guide.

Frequently asked questions

What is AWS Amazon ECR Repository Policy?

AWS Amazon ECR Repository Policy is a resource for Amazon ECR of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon ECR Repository Policy?

For Terraform, the moshinde/terraform-atlantis-envs, 18F/formservice-iac-modules and ffsclyh/config-lint source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the saiganesh12/alexa-video-skills, matchVote/matchvote_ops and morphologue/CfnTemplates source code examples are useful. See the CloudFormation Example section for further details.