Unauthorized AWS ECR Container Upload by Unknown User
The analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events and identifying instances where a new container is uploaded by a user not previously recognized as authorized, potentially indicating a compromise or misuse of AWS ECR.
This detection identifies potentially malicious activity within an AWS Elastic Container Registry (ECR) environment. Specifically, it focuses on the unauthorized uploading of container images by users not previously known or authorized to perform such actions. This activity is detected by monitoring AWS CloudTrail logs for PutImage API calls. The alert triggers when a user who hasn't previously uploaded containers to ECR performs this action, raising concerns about potential account compromise, insider threats, or the deployment of malicious containers. The detection logic uses Amazon Security Lake (ASL) as a centralized source of CloudTrail data. This approach allows for a broader and more consistent view of activity across the AWS environment. The original Splunk ES datamodel version of this detection was published in 2026.
Attack Chain
- An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or an IAM role with excessive privileges.
- The attacker leverages the AWS CLI or API to authenticate to the AWS environment using the compromised credentials.
- The attacker builds or obtains a malicious container image, potentially containing malware or backdoors.
- The attacker attempts to upload the malicious container image to an AWS ECR repository using the
PutImageAPI call. - CloudTrail logs this
PutImageAPI call, including the user identity (actor.user.uid), source IP (src_endpoint.ip), and operation details. - The detection logic identifies the user as an unknown or unauthorized entity based on a lack of prior ECR upload activity.
- Security personnel investigate the alert, examining the container image for malicious content and the user account for signs of compromise.
- If malicious activity is confirmed, remediation steps include revoking compromised credentials, quarantining the container image, and investigating the scope of the breach.
Impact
Unauthorized container uploads to AWS ECR can have significant consequences. If successful, attackers can deploy malicious containers into production environments, leading to data breaches, system compromise, and service disruption. The scope of impact depends on the permissions granted to the compromised account or role and the nature of the deployed container. Depending on the compromised container's purpose, attackers could steal sensitive data, establish persistence, or launch further attacks within the AWS environment. The lack of known false positives suggests that any triggered alert warrants immediate investigation.
Recommendation
- Enable Amazon Security Lake and configure it to collect AWS CloudTrail logs from all relevant AWS accounts and regions to provide comprehensive visibility of ECR activity.
- Deploy the Sigma rule
AWS ECR Container Upload by Unknown Userto your SIEM and tune the rule based on your organization's known ECR user base. - Investigate any alerts generated by this detection, focusing on the source IP address (
src_endpoint.ip), user agent (http_request.user_agent), and the contents of the uploaded container image. - Review IAM policies related to ECR to ensure that only authorized users and roles have the necessary permissions to upload container images.
- Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.
Detection coverage 2
AWS ECR Container Upload by Unknown User
highDetects unauthorized container uploads to AWS ECR by unknown users based on CloudTrail logs.
AWS ECR PutImage from Suspicious IP
mediumDetects PutImage calls to AWS ECR originating from suspicious or blacklisted IP addresses.
Detection queries are available on the platform. Get full rules →