github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/aws/ecr/AVD-AWS-0032/Terraform.md (about) 1 2 Do not allow public access in the policy 3 4 ```hcl 5 resource "aws_ecr_repository" "foo" { 6 name = "bar" 7 } 8 9 resource "aws_ecr_repository_policy" "foopolicy" { 10 repository = aws_ecr_repository.foo.name 11 12 policy = <<EOF 13 { 14 "Version": "2008-10-17", 15 "Statement": [ 16 { 17 "Sid": "new policy", 18 "Effect": "Allow", 19 "Principal": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root", 20 "Action": [ 21 "ecr:GetDownloadUrlForLayer", 22 "ecr:BatchGetImage", 23 "ecr:BatchCheckLayerAvailability", 24 "ecr:PutImage", 25 "ecr:InitiateLayerUpload", 26 "ecr:UploadLayerPart", 27 "ecr:CompleteLayerUpload", 28 "ecr:DescribeRepositories", 29 "ecr:GetRepositoryPolicy", 30 "ecr:ListImages", 31 "ecr:DeleteRepository", 32 "ecr:BatchDeleteImage", 33 "ecr:SetRepositoryPolicy", 34 "ecr:DeleteRepositoryPolicy" 35 ] 36 } 37 ] 38 } 39 EOF 40 } 41 42 ``` 43 44 #### Remediation Links 45 - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy#policy 46