Image Scan Enable
ECR Permission
•
특정 태그를 가진 이미지만 푸시 허용
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushWithProperTags",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<RoleName>"
},
"Action": [
"ecr:PutImage"
],
"Condition": {
"StringEquals": {
"ecr:ResourceTag/Environment": "Production"
}
}
}
]
}
JSON
복사
•
특정 리포지토리에 특정 역할만 접근할 수 있도록 제한
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<RoleName>"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
JSON
복사
•
특정 역할에만 이미지 삭제 권한 부여
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowImageDeletion",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<RoleName>"
},
"Action": [
"ecr:BatchDeleteImage",
"ecr:DeleteRepository"
]
}
]
}
JSON
복사
•
특정 IP 주소에서의 접근만 허용
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushFromCorporateNetwork",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<RoleName>"
},
"Action": [
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
JSON
복사
