ECR image tags are not immutable
Description
Amazon ECR supports immutable tags, preventing image tags from being overwritten.
Tag immutability enables users to rely on the descriptive tags of an image as a mechanism to track and uniquely identify images.
By setting an image tag as immutable, developers can use the tag to correlate the deployed image version with the build that produced the image.
Code Example
shell
{
"aws ecr create-repository
--repository-name name
--image-tag-mutability IMMUTABLE
--region us-east-2",
}Remediation
AWS Console
To change the policy using the AWS Console, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/ecr/repositories [Amazon ECR console].
. Select a repository using the radio button.
. Click Edit.
. Enable the Tag immutability toggle.
CLI Command
To create a repository with immutable tags configured:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0105 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_51 |