AWSOverview
Container images should be protected from tag overwrite and scanned for vulnerabilities.
What this control should detect
ECR repositories that do not enforce image tag immutability and scan-on-push.
Remediation guidance
AWS Remediation
Service-Wide (Recommended)
Enforce ECR baseline settings in IaC modules and account guardrails.
Console (Asset-Level)
- Open ECR repository settings.
- Set tag mutability to Immutable.
- Enable image scanning on push.
AWS CLI (Asset-Level)
aws ecr put-image-tag-mutability --repository-name <repository-name> --image-tag-mutability IMMUTABLE
aws ecr put-image-scanning-configuration --repository-name <repository-name> --image-scanning-configuration scanOnPush=true
References
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
Query logic
These are the stored checks tied to this control.
ECR repositories without immutability and scan-on-push
Connectors
AWS
Covered asset types
ECRRepository
Expected check: eq []
{ ecrRepositories(where: { OR: [ { imageScanningConfigurationScanOnPush: false }, { imageTagMutability_NOT: "IMMUTABLE" } ] }) { ...AssetFragment } }
