GetAuthorizationToken
AWS
GetAuthorizationToken
Event
Retrieves an ECR authorization token for Docker image operations, seen in container escape and lateral movement chains.
Security Context
- ECR authorization tokens provide temporary Docker registry credentials that can be used to pull or push container images, potentially exposing proprietary code and configuration secrets embedded in images.
- This event is frequently observed in container escape scenarios where compromised workloads retrieve ECR tokens via the instance metadata service to access container registries.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — running on a compromised EC2 worker that hosts an OCCAMY ingestion task — pulls the IMDS-exposed instance-profile credentials and calls ecr:GetAuthorizationToken. With the token, he can docker pull arbitrary images from the org’s private ECR registries (data exfil) and docker push backdoored variants. T1552 (Unsecured Credentials: Cloud Instance Metadata API).
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROAOCCAMYP1PEL1NE02:i-0occamy0000000001", "arn": "arn:aws:sts::555123456789:assumed-role/OccamyPipelineRole/i-0occamy0000000001", "accountId": "555123456789", "accessKeyId": "ASIAOCCAMY1MDS5SESS01", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAOCCAMYP1PEL1NE02", "arn": "arn:aws:iam::555123456789:role/OccamyPipelineRole", "accountId": "555123456789", "userName": "OccamyPipelineRole" }, "attributes": { "creationDate": "2026-04-15T21:09:14Z", "mfaAuthenticated": "false" }, "ec2RoleDelivery": "2.0" } }, "eventTime": "2026-04-15T21:13:02Z", "eventSource": "ecr.amazonaws.com", "eventName": "GetAuthorizationToken", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": null, "responseElements": null, "requestID": "90000000-0000-4000-8000-000100111010", "eventID": "90000000-0000-4000-8000-000100111011", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "api.ecr.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Credential Access
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...