0

I'm trying to secure an ec2 instance using security groups to do the following

VPC A (Account - A, Region - A)
VPC B (Account - B, Region - B)

I want an ec2 instance in VPC A to be able to access ecr repositories in VPC B over HTTPS. Since both VPC's are in different regions, I can't use VPC endpoints to use this. I would rather to not just allow the entire CIDR block of VPC B, but to this specific resource.

How can I do such a thing?

Nadav Aviv
  • 5
  • 1
  • ECR is an internet based resource, not a VPC based resource. I think you need to allow internet access here. VPC endpoints are something to look into if you don't want to allow internet access, but you'd have to check they work cross-region. – Tim Jul 23 '20 at 20:14
  • Hi, I am aware of the fact that they are internet based, that's exactly why I need a VPC Endpoints... What I'm asking, is how I can share VPC based resources (Security group for vpc endpoint for example) across accounts, across regions – Nadav Aviv Jul 26 '20 at 08:55

1 Answers1

0

I think your best option might be to use ECR Policy to allow cross account access. ECR repos are not shared by default, you have to grant access.

ECR isn't in your VPC, and from memory I don't think AWS publish the ECR IP range, so I think in your case you'll need to let your instance have https access to 0.0.0.0/0. If you want to restrict that you may have to use a proxy like squid which is domain aware, in a similar way to how you'd use a NAT gateway / instance.

We asked AWS Support about VPC Endpoints for cross account ECR recently. What they told us is VPC Endpoints are use for within the account, not for cross account. I haven't tested that, but that's what I recall they told us, but it's worth testing to be sure. So I think access cross region and cross account will have to be over the internet, and the only way to restrict access to ECR is using the policy I linked to above.

This policy from the page above allows cross account access

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountPush",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account-id:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ]
        }
    ]
}
Tim
  • 30,383
  • 6
  • 47
  • 77
  • For security reasons, I can't give access to 0.0.0.0/0 for https... Whenever both accounts are in the same region, this problem doesn't exist, since my VPC Endpoint is in the same region, and the I can use the policy you've mentioned. The problem is whenever the "puller" account is in one region and the "repo" account is in another – Nadav Aviv Jul 26 '20 at 10:36
  • Have you tested it and found that VPC Endpoints work cross account within a region? That would be useful for us. If you can't open up 0.0.0.0/0 I think your constraints make your preferred solution impossible and you need a new design. How about building and storing your containers in multiple regions, or having some other process move them securely between regions? Or my suggestion of using squid / NAT to give an instance access only to the ECR domain? – Tim Jul 26 '20 at 18:07