Security Hub controls for Amazon ECR
These Security Hub controls evaluate the Amazon Elastic Container Registry (Amazon ECR) service and resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[ECR.1] ECR private repositories should have image scanning configured
Related requirements: NIST.800-53.r5 RA-5, PCI DSS v4.0.1/6.2.3, PCI DSS v4.0.1/6.2.4
Category: Identify > Vulnerability, patch, and version management
Severity: High
Resource type:
AWS::ECR::Repository
AWS Config rule:
ecr-private-image-scanning-enabled
Schedule type: Periodic
Parameters: None
This control checks whether a private Amazon ECR repository has image scanning configured. The control fails if the private ECR repository isn't configured for scan on push or continuous scanning.
ECR image scanning helps in identifying software vulnerabilities in your container images. Configuring image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.
Remediation
To configure image scanning for an ECR repository, see Image scanning in the Amazon Elastic Container Registry User Guide.
[ECR.2] ECR private repositories should have tag immutability configured
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-8(1)
Category: Identify > Inventory > Tagging
Severity: Medium
Resource type:
AWS::ECR::Repository
AWS Config rule:
ecr-private-tag-immutability-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag
immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE
.
Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface.
Remediation
To create a repository with immutable tags configured or to update the image tag mutability settings for an existing repository, see Image tag mutability in the Amazon Elastic Container Registry User Guide.
[ECR.3] ECR repositories should have at least one lifecycle policy configured
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)
Category: Identify > Resource configuration
Severity: Medium
Resource type:
AWS::ECR::Repository
AWS Config rule:
ecr-private-lifecycle-policy-configured
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon ECR repository has at least one lifecycle policy configured. This control fails if an ECR repository does not have any lifecycle policies configured.
Amazon ECR lifecycle policies enable you to specify the lifecycle management of images in a repository. By configuring lifecycle policies, you can automate the cleanup of unused images and the expiration of images based on age or count. Automating these tasks can help you avoid unintentionally using outdated images in your repository.
Remediation
To configure a lifecycle policy, see Creating a lifecycle policy preview in the Amazon Elastic Container Registry User Guide.
[ECR.4] ECR public repositories should be tagged
Category: Identify > Inventory > Tagging
Severity: Low
Resource type:
AWS::ECR::PublicRepository
AWS Config rule: tagged-ecr-publicrepository
(custom Security Hub rule)
Schedule type: Change triggered
Parameters:
Parameter | Description | Type | Allowed custom values | Security Hub default value |
---|---|---|---|---|
requiredTagKeys
|
List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet AWS requirements | No default value |
This control checks whether an Amazon ECR public repository has tags with the specific keys defined in the parameter
requiredTagKeys
. The control fails if the public repository doesn’t have any tag keys or if it doesn’t have all the keys specified in the
parameter requiredTagKeys
. If the parameter requiredTagKeys
isn't provided, the control only checks for the existence
of a tag key and fails if the public repository isn't tagged with any key. System tags, which are automatically applied and begin with aws:
,
are ignored.
A tag is a label that you assign to an AWS resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to AWS resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see What is ABAC for AWS? in the IAM User Guide.
Note
Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many AWS services, including AWS Billing. For more tagging best practices, see Tagging your AWS resources in the AWS General Reference.
Remediation
To add tags to an ECR public repository, see Tagging an Amazon ECR public repository in the Amazon Elastic Container Registry User Guide.