Amazon Elastic Container Registry controls
These controls are related to Amazon ECR resources.
[ECR.1] ECR private repositories should have image scanning configured
Related requirements: NIST.800-53.r5 RA-5
Category: Identify > Vulnerability, patch, and version management
Severity: High
Resource type:
AWS::ECR::Repository
AWS Config rule:
ecr-private-image-scanning-enabled
Schedule type: Periodic
Parameters: None
This control checks whether a private Amazon ECR repository has image scanning configured. The control fails if the private ECR repository isn't configured for scan on push or continuous scanning.
ECR image scanning helps in identifying software vulnerabilities in your container images. ECR uses the Common Vulnerabilities and Exposures
(CVEs) database from the open-source Clair project
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Asia Pacific (Jakarta)
-
Asia Pacific (Osaka)
-
China (Beijing)
-
China (Ningxia)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
To configure image scanning for an ECR repository, see Image scanning in the Amazon Elastic Container Registry User Guide.
[ECR.2] ECR private repositories should have tag immutability configured
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-8(1)
Category: Identify > Inventory > Tagging
Severity: Medium
Resource type:
AWS::ECR::Repository
AWS Config rule:
ecr-private-tag-immutability-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag
immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE.
Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface.
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Asia Pacific (Jakarta)
-
Asia Pacific (Osaka)
-
China (Beijing)
-
China (Ningxia)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
To create a repository with immutable tags configured or to update the image tag mutability settings for an existing repository, see Image tag mutability in the Amazon Elastic Container Registry User Guide.
[ECR.3] ECR repositories should have at least one lifecycle policy configured
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)
Category: Identify > Resource configuration
Severity: Medium
Resource type:
AWS::ECR::Repository
AWS Config rule:
ecr-private-lifecycle-policy-configured
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon ECR repository has at least one lifecycle policy configured. This control fails if an ECR repository does not have any lifecycle policies configured.
Amazon ECR lifecycle policies enable you to specify the lifecycle management of images in a repository. By configuring lifecycle policies, you can automate the cleanup of unused images and the expiration of images based on age or count. Automating these tasks can help you avoid unintentionally using outdated images in your repository.
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Asia Pacific (Jakarta)
-
China (Beijing)
-
China (Ningxia)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
To configure a lifecycle policy, see Creating a lifecycle policy preview in the Amazon Elastic Container Registry User Guide.
