Server Fault Asked by Nadav Aviv on December 11, 2021
I’m trying to secure an ec2 instance using security groups to do the following
VPC A (Account - A, Region - A)
VPC B (Account - B, Region - B)
I want an ec2 instance in VPC A to be able to access ecr repositories in VPC B over HTTPS.
Since both VPC’s are in different regions, I can’t use VPC endpoints to use this.
I would rather to not just allow the entire CIDR block of VPC B, but to this specific resource.
How can I do such a thing?
I think your best option might be to use ECR Policy to allow cross account access. ECR repos are not shared by default, you have to grant access.
ECR isn't in your VPC, and from memory I don't think AWS publish the ECR IP range, so I think in your case you'll need to let your instance have https access to 0.0.0.0/0. If you want to restrict that you may have to use a proxy like squid which is domain aware, in a similar way to how you'd use a NAT gateway / instance.
We asked AWS Support about VPC Endpoints for cross account ECR recently. What they told us is VPC Endpoints are use for within the account, not for cross account. I haven't tested that, but that's what I recall they told us, but it's worth testing to be sure. So I think access cross region and cross account will have to be over the internet, and the only way to restrict access to ECR is using the policy I linked to above.
This policy from the page above allows cross account access
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
Answered by Tim on December 11, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP