Skip to main content

aws_ecr_repository_policy Resource

Use the aws_ecr_repository_policy InSpec audit resource to test the policy configured for a single AWS Elastic Container Registry (ECR) repository.

New in InSpec AWS resource pack 1.11.0.


This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.


An aws_ecr_repository_policy resource block declares the tests for a single AWS ECR repository by repository name.

describe aws_ecr_repository_policy(repository_name: 'my-repo') do
  it { should exist }

The value of the repository_name can be provided as a string.

describe aws_ecr_repository_policy('my-repo') do
  it { should exist }


The repository name must be provided.

repository_name (required)

The name of the ECR repository must satisfy the following constraints:

  • Regex pattern (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*.
  • Minimum 2 and maximum of 256 characters long.

This can be passed either as a string or as a repository_name: 'value' key-value entry in a hash.


The have_statement examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does not interpret the policy in a request authorization context as AWS does when a request is processed. Rather, the have_statement examines the literal contents of the IAM policy and reports on what is present (or absent, when used with should_not).


The have_statement accepts the following criteria to search for matching statements. A test is successful if any statement matches all the criteria. Criteria can be formatted in title case or lowercase, and as a string or symbol.

Expresses the requested operation. Acceptable literal values are any AWS operation name, including the ‘*’ wildcard character. Action may also use a list of AWS operation names.
Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'.
A user-provided string identifier for the statement.
Expresses the operation’s target. Acceptable values are Amazon Resource Names (ARNs), including the ‘*’ wildcard. Principal may also use a list of ARN values.

Please note the following about the behavior of the have_statement:

  • The Action, Sid, and Resource criteria will allow a regular expression instead of a string literal.
  • The have_statement does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with "Action": "s3:*" and the test checks for Action: "s3:PutObject", the test will not match. You must write an additional test checking for the wildcard case.
  • The have_statement supports searching for list values. For example, if a statement contains a list of three resources and a have_statement test specifies one of those resources, it will match.


describe aws_ecr_repository_policy('repo_name') do
  it { should exist }
  it { should have_statement(Action: "ecr:GetDownloadUrlForLayer", Effect: "Allow", Principal: "*", Sid: "new policy")}
  it { should_not have_statement(Action: /^rds:.+$/)}

Symbols, title case, and lowercase are all allowed as criteria. The following four statements will return the same results:

describe aws_ecr_repository_policy('repo_name') do
  it { should_not have_statement('Effect' => 'Allow', 'Principal' => '*', 'Action' => '*')}
  it { should_not have_statement('effect' => 'Allow', 'Principal' => '*', 'action' => '*')}
  it { should_not have_statement(Effect: 'Allow', Principal: '*', Action: '*')}
  it { should_not have_statement(effect: 'Allow', Principal: '*', action: '*')}

AWS Permissions

Your Principal will need the ECR:Client:GetRepositoryPolicyResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!


Search Results