Skip to content

GetAuthorizationToken

AWS

GetAuthorizationToken

service: AWS - ECR
techniques:

Event

Retrieves an ECR authorization token for Docker image operations, seen in container escape and lateral movement chains.

Security Context

  • ECR authorization tokens provide temporary Docker registry credentials that can be used to pull or push container images, potentially exposing proprietary code and configuration secrets embedded in images.
  • This event is frequently observed in container escape scenarios where compromised workloads retrieve ECR tokens via the instance metadata service to access container registries.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — running on a compromised EC2 worker that hosts an OCCAMY ingestion task — pulls the IMDS-exposed instance-profile credentials and calls ecr:GetAuthorizationToken. With the token, he can docker pull arbitrary images from the org’s private ECR registries (data exfil) and docker push backdoored variants. T1552 (Unsecured Credentials: Cloud Instance Metadata API).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAOCCAMYP1PEL1NE02:i-0occamy0000000001",
"arn": "arn:aws:sts::555123456789:assumed-role/OccamyPipelineRole/i-0occamy0000000001",
"accountId": "555123456789",
"accessKeyId": "ASIAOCCAMY1MDS5SESS01",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAOCCAMYP1PEL1NE02",
"arn": "arn:aws:iam::555123456789:role/OccamyPipelineRole",
"accountId": "555123456789",
"userName": "OccamyPipelineRole"
},
"attributes": {
"creationDate": "2026-04-15T21:09:14Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0"
}
},
"eventTime": "2026-04-15T21:13:02Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "GetAuthorizationToken",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": null,
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000100111010",
"eventID": "90000000-0000-4000-8000-000100111011",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "api.ecr.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Credential Access

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...