aws_ecr_repository_policy Resource
Use the aws_ecr_repository_policy InSpec audit resource to test the policy configured for a single AWS Elastic Container Registry (ECR) repository.
New in InSpec AWS resource pack 1.11.0.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_ecr_repository_policy resource block declares the tests for a single AWS ECR repository by repository name.
describe aws_ecr_repository_policy(repository_name: 'my-repo') do
it { should exist }
end
The value of the repository_name can be provided as a string.
describe aws_ecr_repository_policy('my-repo') do
it { should exist }
end
Parameters
The repository name must be provided.
repository_name(required)The name of the ECR repository must satisfy the following constraints:
- Regex pattern
(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*. - Minimum 2 and maximum of 256 characters long.
- Regex pattern
This can be passed either as a string or as a
repository_name: 'value'key-value entry in a hash.have_statementThe
have_statementexamines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does not interpret the policy in a request authorization context as AWS does when a request is processed. Rather, thehave_statementexamines the literal contents of the IAM policy and reports on what is present (or absent, when used withshould_not).Criteria
The
have_statementaccepts the following criteria to search for matching statements. A test is successful if any statement matches all the criteria. Criteria can be formatted in title case or lowercase, and as a string or symbol.Action- Expresses the requested operation. Acceptable literal values are any AWS operation name, including the ‘*’ wildcard character.
Actionmay also use a list of AWS operation names.
Effect- Expresses if the operation is permitted. Acceptable values are
'Deny'and'Allow'.
Sid- A user-provided string identifier for the statement.
Principal- Expresses the operation’s target. Acceptable values are Amazon Resource Names (ARNs), including the ‘*’ wildcard.
Principalmay also use a list of ARN values.
Please note the following about the behavior of the
have_statement:- The
Action,Sid, andResourcecriteria will allow a regular expression instead of a string literal. - The
have_statementdoes not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with"Action": "s3:*"and the test checks forAction: "s3:PutObject", the test will not match. You must write an additional test checking for the wildcard case. - The
have_statementsupports searching for list values. For example, if a statement contains a list of three resources and ahave_statementtest specifies one of those resources, it will match.
- The
Examples
describe aws_ecr_repository_policy('repo_name') do
it { should exist }
it { should have_statement(Action: "ecr:GetDownloadUrlForLayer", Effect: "Allow", Principal: "*", Sid: "new policy")}
it { should_not have_statement(Action: /^rds:.+$/)}
end
Symbols, title case, and lowercase are all allowed as criteria. The following four statements will return the same results:
describe aws_ecr_repository_policy('repo_name') do
it { should_not have_statement('Effect' => 'Allow', 'Principal' => '*', 'Action' => '*')}
it { should_not have_statement('effect' => 'Allow', 'Principal' => '*', 'action' => '*')}
it { should_not have_statement(Effect: 'Allow', Principal: '*', Action: '*')}
it { should_not have_statement(effect: 'Allow', Principal: '*', action: '*')}
end
AWS Permissions
Your Principal will need the ECR:Client:GetRepositoryPolicyResponse action with Effect set to Allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.