Detections
Analytics

Ensure image tag is immutable for Amazon Elastic Container Registry (Amazon ECR) Repository

MEDIUM

Description

Image tags are not immutable for AWS ECR Repository. This may allow overwriting tags.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the ECR Console.
  2. Select the repository you wish to update.
  3. Click Edit.
  4. Set Tag immutability to Enabled.
  5. Select Save.

In Terraform -

  1. In the aws_ecr_repository resource, set the image_tag_mutability field to IMMUTABLE.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository

Policy Details

Rule Reference ID: AC_AWS_0447
CSP: AWS
Remediation Available: Yes
Domain: Security Best Practices
Resource: aws_ecr_repository
Resource Category: Compute
Resource Type: Elastic Container Registry (ECR)

Frameworks