Amazon ECR CloudTrail and Registry Events
Location
CloudTrail events for ecr.amazonaws.com plus repository and image metadata from ECR APIsDescription
Registry activity for Amazon Elastic Container Registry including repository creation, policy changes, image push and pull activity, authentication-related events, and image inventory metadata.
Forensic Value
ECR events explain how attacker-controlled images entered the environment or how private repositories were enumerated and accessed. They are particularly valuable in supply-chain and container-cluster incidents because they tie image usage back to specific identities, source IPs, and repository mutations that can later be correlated with cluster deployment activity.
Tools Required
Collection Commands
AWS CLI
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=ecr.amazonaws.com --output json > ecr_cloudtrail_events.json
AWS CLI
aws ecr describe-repositories --output json > ecr_repositories.json
AWS CLI
aws ecr describe-images --repository-name <repository-name> --output json > ecr_repository_images.json
Collection Constraints
- •ECR audit evidence explains registry activity, but investigators still need cluster or host evidence to prove image execution on workloads.
- •Historical visibility depends on CloudTrail retention and whether registry metadata was preserved before cleanup or deletion.
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.