Top / Amazon Web Service / AWS Amazon ECR / Repository Policy

AWS Amazon ECR Repository Policy

This page shows how to write Terraform and CloudFormation for Amazon ECR Repository Policy and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_ecr_repository_policy (Terraform)

The Repository Policy in Amazon ECR can be configured in Terraform with the resource name aws_ecr_repository_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

_ecr.tf#L26
resource "aws_ecr_repository_policy" "ecr1" {
  repository = aws_ecr_repository.ecr1.name
  policy     = data.aws_iam_policy_document.access_policy.json
}
resource "aws_ecr_repository" "ecr3" {
  name = "ecr3"
main.tf#L28
resource "aws_ecr_repository_policy" "formio-enterprise" {
  repository = aws_ecr_repository.formio-enterprise.name

  policy = var.ecr_policy
}
wildcard_principal.tf#L9
resource "aws_ecr_repository_policy" "ecr_allow_no_wildcard" {
  repository = "ecr-repo"

  policy = <<EOF
{
    "Version": "2008-10-17",
iam.tf#L112
resource "aws_ecr_repository_policy" "registry-policy-carts" {
  repository = aws_ecr_repository.repository_carts.name
  policy = <<EOF
  {
    "Version": "2008-10-17",
    "Statement": [
repositories.tf#L5
resource "aws_ecr_repository_policy" "repo_apiserver" {
  repository = aws_ecr_repository.repo_apiserver.name
  policy     = data.aws_iam_policy_document.repo_permission_policy.json
}

resource "aws_ecr_lifecycle_policy" "repo_apiserver" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an Elastic Container Registry Repository Policy. Note that currently only one policy may be applied to a repository.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Amazon ECR Resources

In addition to the aws_ecr_repository, AWS Amazon ECR has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_ecr_repository

Ensure to enable ECR image scan

It is better to enbale ECR image scan. AWS ECR provides a feature to scan container images and discover vulnerable software.

Review your AWS Amazon ECR settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::ECR::Repository (CloudFormation)

The Repository in ECR can be configured in CloudFormation with the resource name AWS::ECR::Repository. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

matchvote.yml#L8
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: almanack
  Migrant:
    Type: AWS::ECR::Repository
    Properties:
repositary.yml#L8
    Type: "AWS::ECR::Repository"
    Properties:
      RepositoryName: !Join ['', [!Ref 'Environment', "/", "park/builder"]]
  parkIdmDependencies:
    Type: "AWS::ECR::Repository"
    Properties:
ecr.yml#L5
    Type: AWS::ECR::Repository
    Properties:
      LifecyclePolicy:
        LifecyclePolicyText: |
          {
            "rules": [{
dev.ecr.yml#L5
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: pm-av-webui-app
  PropertyEcr:
    Type: AWS::ECR::Repository
    Properties:
ecr.yml#L4
    Type: 'AWS::ECR::Repository'
    Properties:
      RepositoryName: location-service
  DEMANDSERVICE:
    Type: 'AWS::ECR::Repository'
    Properties:
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::ECR::Repository resource specifies an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see Amazon ECR private repositories in the Amazon ECR User Guide.

>> from AWS CloudFormation Documentation

The Other Related AWS Amazon ECR Resources

Frequently asked questions

What is AWS Amazon ECR Repository Policy?

AWS Amazon ECR Repository Policy is a resource for Amazon ECR of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon ECR Repository Policy?

For Terraform, the moshinde/terraform-atlantis-envs, 18F/formservice-iac-modules and ffsclyh/config-lint source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the matchVote/matchvote_ops, saiganesh12/alexa-video-skills and morphologue/CfnTemplates source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents