github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md (about)

     1  
     2  Do not allow public access in the policy
     3  
     4  ```yaml---
     5  Resources:
     6    GoodExample:
     7      Type: AWS::ECR::Repository
     8      Properties:
     9        RepositoryName: "test-repository"
    10        ImageTagImmutability: IMMUTABLE
    11        ImageScanningConfiguration:
    12          ScanOnPush: false
    13        EncryptionConfiguration:
    14          EncryptionType: KMS
    15          KmsKey: "alias/ecr-key"
    16        RepositoryPolicyText: 
    17          Version: "2012-10-17"
    18          Statement: 
    19            - 
    20              Sid: AllowPushPull
    21              Effect: Allow
    22              Principal: 
    23                AWS: 
    24                  - "arn:aws:iam::123456789012:user/Alice"
    25              Action: 
    26                - "ecr:GetDownloadUrlForLayer"
    27                - "ecr:BatchGetImage"
    28                - "ecr:BatchCheckLayerAvailability"
    29                - "ecr:PutImage"
    30                - "ecr:InitiateLayerUpload"
    31                - "ecr:UploadLayerPart"
    32                - "ecr:CompleteLayerUpload"
    33  
    34  ```
    35  
    36