Detections
Analytics

Ensure AWS ECR Repository uses KMS for server-side encryption

MEDIUM

Description

AWS ECR Repository has at-rest encryption disabled which may cause sensitive data exposure.

Remediation

Amazon ECR stores images in Amazon S3 buckets that Amazon ECR manages. By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys. To use a customer-managed key, a new repository will need to be created. To do so, follow the steps below.

In AWS Console -

  1. Sign in to the AWS Console and open the ECR Console.
  2. Select Create new repository.
  3. Configure as needed; Under Encryption settings, set KMS encryption to Enabled.
  4. Check the box for Customize encryption settings.
  5. Choose the KMS key to use for encryption and select Create repository.

In Terraform -

  1. In the aws_ecr_repository resource, set 'encryption_configuration.encryption_type' to 'KMS'.
  2. Set 'encryption_configuration.kms_key' to a valid AWS KMS key ARN.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository

Policy Details

Rule Reference ID: AC_AWS_0461
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_ecr_repository
Resource Category: Compute
Resource Type: Elastic Container Registry (ECR)

Frameworks