Rule: ECR Private Repositories Tag Immutability Configuration
This rule focuses on configuring tag immutability for ECR private repositories.
| Rule | ECR private repositories should have tag immutability configured |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
ECR (Elastic Container Registry) is a fully managed container image registry service provided by AWS. To ensure better security and compliance with AWS Foundational Security Best Practices, it is recommended to have tag immutability configured for private repositories in ECR.
Tag immutability allows you to prevent the modification or deletion of image tags within private repositories. By enabling this feature, you can enhance the integrity and trustworthiness of your container images, ensuring that once a tag is assigned to an image, it cannot be modified or deleted.
When tag immutability is configured, it guarantees the consistency and reliability of your container images by preventing accidental or malicious changes. It also enables traceability and better auditing of image modifications.
Troubleshooting Steps:
If you encounter any issues or inconsistencies while configuring tag immutability for your ECR private repositories, follow these troubleshooting steps:
- 1.
Ensure your IAM (Identity and Access Management) permissions are correctly configured to manage ECR repositories. Make sure you have the necessary permissions to modify repository settings, such as setting tag immutability.
- 2.
Verify that you are using the latest version of the AWS CLI (Command Line Interface) or SDK (Software Development Kit) to interact with ECR. Some older versions may not support the tag immutability feature.
- 3.
Double-check that you have selected the correct ECR repository where you wish to enable tag immutability.
- 4.
If you are receiving an error related to insufficient permissions or access denied, review your IAM policies and permissions. Ensure the necessary permissions are granted to your IAM user or role.
Necessary Code:
To enable tag immutability for an ECR private repository using the AWS CLI, use the following code:
aws ecr put-image-scanning-configuration --repository-name <repository-name> --image-scanning-configuration scanOnPush=true aws ecr put-image-tag-mutability --repository-name <repository-name> --image-tag-mutability IMMUTABLE
Replace
<repository-name>Step-by-Step Guide for Remediation:
Follow these step-by-step instructions to configure tag immutability for an ECR private repository using the AWS Management Console:
- 1.
Open the AWS Management Console and navigate to the ECR service.
- 2.
Select the desired region where your ECR private repository exists.
- 3.
Click on the repository name that you want to configure for tag immutability.
- 4.
In the repository details page, click on the "Edit" button in the "Image tagging rules" section.
- 5.
Enable the "Blocking External Moderation" option to prevent external users from modifying or deleting image tags.
- 6.
Enable the "Scan on push" option to enable automatic scanning of images as they are pushed to the repository.
- 7.
Click on the "Save" button to apply the changes.
- 8.
Return to the repository details page, and under the "Image tag mutability" section, verify that it is set to "Immutable" to ensure tag immutability is configured correctly.
By following these steps, you will have successfully configured tag immutability for your ECR private repository, enhancing the security and compliance of your container images.