Ensure ECR repositories have immutable tags

Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. Since a potential security issue may be present in a previous version of a Docker Image, it is important to not allow tags of previous images be set in order to make them appear to be the latest image or the production one. For this reason it is considered a security best practice to not allow tags to be changed.

Audit & Remediation

  • Login into your AWS account
  • Navigate to the ECR service at: https://console.aws.amazon.com/ecr
  • On the ECR main page, pinpoint any Repository name that has Tag immutability set to Disabled.

 

 

  • In the top right corner of this window, selectEdit button.
  • In the main panel, under Tag immutability select Enabled and select the Save button a the bottom.

 

 

  • Repeat the outlined steps for each repository.
  • Repeat the outlined steps for each region that you have ECR repositories in.
  • Repeat the outlined steps for each AWS account that you have.
See all of your AWS EC2 Instances in a single place!

Do you want to see all of your AWS EC2 Instances in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

 

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +