ECR repository policies should not allow wildcard principals

ecr
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

ECR repository resource policies should not grant access to wildcard principals (Principal: "*") without scoping conditions. An unconditional wildcard principal allows any AWS account or unauthenticated user to access the resource, creating a significant security risk. Wildcard principals scoped by policy conditions (such as aws:SourceAccount, aws:SourceArn, or aws:PrincipalOrgID) are not flagged, because the condition restricts effective access.

Remediation

Update the repository policy to specify explicit AWS account IDs or IAM principals. Alternatively, add scoping conditions that restrict access. For guidance, refer to Repository policies.