turbot/aws_compliance

GitHub
Loading controls...

Control: 2 ECR private repositories should have tag immutability configured

Description

This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE.

Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface.

Remediation

To create a repository with immutable tags configured or to update the image tag mutability settings for an existing repository, see Image tag mutability in the Amazon Elastic Container Registry User Guide.

Usage

Run the control in your terminal:

steampipe check aws_compliance.control.foundational_security_ecr_2

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_compliance.control.foundational_security_ecr_2

SQL

This control uses a named query:

ecr_repository_tag_immutability_enabled

Tags