Vendor services misconfigurations

Minimize cluster access to read-only for Amazon ECR

Risk Level

Informational (4)

Compliance Frameworks


The EKS Cluster Service Account only requires pull access to containers to deploy onto Amazon EKS. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role.
  • Recommended Mitigation

    Configure the EKS Cluster Service Account with Storage Object Viewer Role to only allow read-only access to Amazon ECR.