Ensure Cluster Service Account with read-only access to Amazon ECR
An XCCDF Rule
Description
Configure the Cluster Service Account with Storage Object Viewer Role to only allow read- only access to Amazon ECR.
Rationale
The Cluster Service Account does not require administrative access to Amazon ECR, only requiring pull access to containers to deploy onto Amazon EKS. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role.
- ID
- xccdf_org.ssgproject.content_rule_read_only_registry_access
- Severity
- Unknown
- References
- Updated