Loading controls...

Control: 2 ECR private repositories should have tag immutability configured


This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE.

Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface.


To create a repository with immutable tags configured or to update the image tag mutability settings for an existing repository, see Image tag mutability in the Amazon Elastic Container Registry User Guide.


Run the control in your terminal:

steampipe check aws_compliance.control.foundational_security_ecr_2

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_compliance.control.foundational_security_ecr_2


This control uses a named query: