ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for ecr service (#8872)

Browse Source 
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2025-11-17 11:50:11 +01:00
committed by GitHub
parent 4167de39d2
commit e715b9fbfb
8 changed files with 123 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
prowler/CHANGELOG.md
View File

@@ -53,6 +53,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update oraclecloud blockstorage service metadata to new format [(#9222)](https://github.com/prowler-cloud/prowler/pull/9222)
- Update oraclecloud audit service metadata to new format [(#9221)](https://github.com/prowler-cloud/prowler/pull/9221)
- Raise ASFF output error for non-AWS providers [(#9225)](https://github.com/prowler-cloud/prowler/pull/9225)
- Update AWS ECR service metadata to new format [(#8872)](https://github.com/prowler-cloud/prowler/pull/8872)
---

4
prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json
View File

@@ -32,9 +32,7 @@
"Url": "https://hub.prowler.com/check/awslambda_function_using_supported_runtimes"
}
},
"Categories": [
"container-security"
],
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

27
prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json
View File

@@ -1,32 +1,37 @@
{
"Provider": "aws",
"CheckID": "ecr_registry_scan_images_on_push_enabled",
"CheckTitle": "Check if ECR Registry has scan on push enabled",
"CheckTitle": "ECR registry has image scanning on push enabled for all repositories",
"CheckType": [
"Identify",
"Vulnerability, patch, and version management"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "ecr",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:ecr:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"Description": "Check if ECR Registry has scan on push enabled",
"Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ",
"Description": "Amazon ECR registries with repositories are evaluated for image scanning configured as `scan on push` at the registry level, with scan rules that cover all repositories (no restrictive filters), for either **basic** or **enhanced** scanning.",
"Risk": "Absent or filtered `scan on push` lets **vulnerable images** be pushed and deployed without timely detection, enabling exploitation of known CVEs (RCE, privilege escalation), supply chain compromise, and lateral movement - threatening workload integrity and data confidentiality.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
],
"Remediation": {
"Code": {
"CLI": "aws ecr put-registry-scanning-configuration --rules 'scanFrequency=SCAN_ON_PUSH,repositoryFilters=[{filter=string,filterType=WILDCARD}]'",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"Other": "1. Open the AWS Management Console and go to Amazon ECR\n2. In the left menu, click Account settings (or Settings), then find Registry scanning\n3. Click Edit\n4. Set Scanning type to Enhanced scanning\n5. Enable Scan on push\n6. Under Repository filters, set Filter type to WILDCARD and Filter to *\n7. Click Save",
"Terraform": "```hcl\nresource \"aws_ecr_registry_scanning_configuration\" \"<example_resource_name>\" {\n scan_type = \"ENHANCED\"\n\n rule {\n scan_frequency = \"SCAN_ON_PUSH\" # Ensures scan on push\n repository_filter {\n filter = \"*\" # Applies to all repositories\n filter_type = \"WILDCARD\"\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.",
"Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
"Text": "Enable registry-wide `scan on push` and ensure rules apply to all repositories (no filters). Prefer **enhanced scanning** for broader coverage, and pair with continuous scans when available. Integrate findings into CI/CD gates and alerts to enforce **defense in depth** and block promotion of risky images.",
"Url": "https://hub.prowler.com/check/ecr_registry_scan_images_on_push_enabled"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "ecr_repositories_lifecycle_policy_enabled",
"CheckTitle": "Check if ECR repositories have lifecycle policies enabled",
"CheckTitle": "ECR repository has a lifecycle policy configured",
"CheckType": [
"Identify",
"Resource configuration"
"Software and Configuration Checks/AWS Security Best Practices",
"Effects/Resource Consumption"
],
"ServiceName": "ecr",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsEcrRepository",
"Description": "Check if ECR repositories have lifecycle policies enabled",
"Risk": "Amazon ECR repositories run the risk of retaining huge volumes of images, increasing unnecessary cost.",
"Description": "Amazon ECR repositories have a **lifecycle policy** configured to automatically expire container images based on age, count, or tags.",
"Risk": "Without **lifecycle policies**, images accumulate indefinitely, leading to:\n- **Availability** issues when quotas block pushes and CI/CD\n- **Integrity** risk from redeploying outdated, vulnerable images\n- **Cost** growth from unnecessary storage",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html",
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/lp_creation.html",
"https://aws.plainenglish.io/automation-deletion-untagged-container-image-in-amazon-ecr-using-ecr-lifecycle-policy-995eae2f5b8d",
"https://blog.stackademic.com/title-implementing-lifecycle-policies-in-aws-ecr-a-practical-guide-3860b612b477",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/lifecycle-policy-in-use.html"
],
"Remediation": {
"Code": {
"CLI": "aws ecr put-lifecycle-policy --repository-name <REPOSITORY_NAME> --lifecycle-policy-text <LIFECYCLE_POLICY> [--registry-id <REGISTRY_ID>]",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/lifecycle-policy-in-use.html",
"Terraform": ""
"CLI": "aws ecr put-lifecycle-policy --repository-name <REPOSITORY_NAME> --lifecycle-policy-text '{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"untagged\",\"countType\":\"imageCountMoreThan\",\"countNumber\":1},\"action\":{\"type\":\"expire\"}}]}'",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECR::Repository\n Properties:\n # Critical: Adding a lifecycle policy makes the repo PASS this check\n LifecyclePolicy:\n # Critical: The policy content; any valid rule satisfies the requirement\n LifecyclePolicyText: >-\n {\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"untagged\",\"countType\":\"imageCountMoreThan\",\"countNumber\":1},\"action\":{\"type\":\"expire\"}}]}\n```",
"Other": "1. Open the AWS Console and go to Amazon ECR > Repositories\n2. Select the target repository\n3. From Actions, choose \"Lifecycle policies\"\n4. Click \"Create rule\"\n5. Set Image status: Untagged, Match criteria: Image count more than = 1, Action: Expire\n6. Click \"Save\" to apply the lifecycle policy",
"Terraform": "```hcl\nresource \"aws_ecr_lifecycle_policy\" \"<example_resource_name>\" {\n repository = \"<example_resource_name>\"\n # Critical: The policy ensures a lifecycle policy is configured for the repo\n policy = <<POLICY\n{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"untagged\",\"countType\":\"imageCountMoreThan\",\"countNumber\":1},\"action\":{\"type\":\"expire\"}}]}\nPOLICY\n}\n```"
},
"Recommendation": {
"Text": "Open the Amazon ECR console. Create an ECR lifecycle policy.",
"Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html"
"Text": "Implement **lifecycle policies** per repository to expire untagged, old, or excess images and retain a small set of trusted releases. Validate outcomes before applying, review rules regularly, and apply consistently across Regions when replicating. This supports **defense in depth** by reducing image attack surface and operational risk.",
"Url": "https://hub.prowler.com/check/ecr_repositories_lifecycle_policy_enabled"
}
},
"Categories": [],
"Categories": [
"container-security"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

29
prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json
View File

@@ -1,29 +1,34 @@
{
"Provider": "aws",
"CheckID": "ecr_repositories_not_publicly_accessible",
"CheckTitle": "Ensure there are no ECR repositories set as Public",
"CheckTitle": "ECR repository is not publicly accessible",
"CheckType": [
"Protect",
"Secure Access Management"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Initial Access",
"Effects/Data Exposure"
],
"ServiceName": "ecr",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsEcrRepository",
"Description": "Ensure there are no ECR repositories set as Public",
"Risk": "A repository policy that allows anonymous access may allow anonymous users to perform actions.",
"Description": "**Amazon ECR repositories** are evaluated for **public exposure** via repository policies that allow anonymous principals (e.g., `Principal: \"*\"`) to access the repo, including image listing, pulling, or modification.",
"Risk": "**Public access to ECR repositories** weakens **confidentiality** and **integrity**.\n\nAnyone can pull images, exposing proprietary code or embedded secrets; if pushes are allowed, attackers can poison images, enabling supply-chain compromise. Uncontrolled pulls can raise **egress costs** and leak repository metadata.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "https://docs.prowler.com/checks/aws/public-policies/public_1-ecr-repositories-not-public#cloudformation",
"Other": "https://docs.prowler.com/checks/aws/public-policies/public_1-ecr-repositories-not-public#aws-console",
"Terraform": ""
"CLI": "aws ecr delete-repository-policy --repository-name <example_resource_name>",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECR::Repository\n Properties:\n RepositoryPolicyText:\n Version: \"2012-10-17\"\n Statement:\n - Effect: Allow\n Principal:\n AWS: \"arn:aws:iam::<example_resource_id>:root\" # Critical: restricts access to a specific AWS account; removes public (*) access\n Action: \"ecr:*\"\n```",
"Other": "1. In the AWS Console, go to Amazon ECR > Repositories\n2. Select the repository\n3. Open the Permissions tab and click Edit\n4. Remove any statement with Principal set to \"*\", or replace it with specific AWS ARN(s) (e.g., arn:aws:iam::<example_resource_id>:root)\n5. Save changes",
"Terraform": "```hcl\nresource \"aws_ecr_repository_policy\" \"<example_resource_name>\" {\n repository = \"<example_resource_name>\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = { AWS = \"arn:aws:iam::<example_resource_id>:root\" } # Critical: restricts access to a specific AWS principal; removes public (*) access\n Action = \"ecr:*\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "Ensure the repository and its contents are not publicly accessible",
"Url": "https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html"
"Text": "Apply **least privilege** to repository policies:\n- Avoid `Principal:\"*\"` and block anonymous access\n- Grant minimal actions to specific accounts/roles\n- Require authenticated pulls/pushes via IAM\n- Use **private connectivity** (e.g., VPC endpoints)\n- Add **defense in depth** with image scanning and signing",
"Url": "https://hub.prowler.com/check/ecr_repositories_not_publicly_accessible"
}
},
"Categories": [

34
prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json
View File

@@ -1,32 +1,40 @@
{
"Provider": "aws",
"CheckID": "ecr_repositories_scan_images_on_push_enabled",
"CheckTitle": "[DEPRECATED] Check if ECR image scan on push is enabled",
"CheckTitle": "[DEPRECATED] ECR repository has image scanning on push enabled",
"CheckType": [
"Identify",
"Vulnerability, patch, and version management"
"Software and Configuration Checks/Vulnerabilities/CVE",
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "ecr",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsEcrRepository",
"Description": "[DEPRECATED] Check if ECR image scan on push is enabled",
"Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ",
"Description": "[DEPRECATED]\n**Amazon ECR repositories** are evaluated for **image scanning on push**; when configured, new image uploads automatically trigger a vulnerability scan (`scan_on_push`).",
"Risk": "Without **scan on push**, images with known CVEs can enter registries and reach runtime unnoticed, undermining **integrity** and **confidentiality** through exploitable packages. Attackers may achieve code execution and lateral movement. Delayed detection increases operational risk and extends remediation timelines.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/scan-on-push.html",
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic-enabling.html",
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
],
"Remediation": {
"Code": {
"CLI": "aws ecr create-repository --repository-name <repo_name> --image-scanning-configuration scanOnPush=true--region <region_name>",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_8#cli-command",
"Other": "",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_8#fix---buildtime"
"CLI": "aws ecr put-image-scanning-configuration --repository-name <repo_name> --image-scanning-configuration scanOnPush=true",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECR::Repository\n Properties:\n ImageScanningConfiguration:\n ScanOnPush: true # Critical: enables image scanning on push for this repository\n```",
"Other": "1. Open the AWS Console and go to Amazon ECR\n2. Click Repositories and select the target repository\n3. Click Edit\n4. Enable the Scan on push toggle\n5. Click Save",
"Terraform": "```hcl\nresource \"aws_ecr_repository\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n image_scanning_configuration {\n scan_on_push = true # Critical: enables scanning on image push\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.",
"Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
"Text": "Enable **image scanning on push** (`scan_on_push`) for all repositories and use findings as promotion gates. Prefer **continuous/enhanced scanning** for defense in depth, set severity thresholds, and block or quarantine noncompliant images. Integrate results with CI/CD and adopt **shift-left** vulnerability management.",
"Url": "https://hub.prowler.com/check/ecr_repositories_scan_images_on_push_enabled"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json
View File

@@ -1,32 +1,43 @@
{
"Provider": "aws",
"CheckID": "ecr_repositories_scan_vulnerabilities_in_latest_image",
"CheckTitle": "Check if ECR image scan found vulnerabilities in the newest image version",
"CheckTitle": "ECR repository latest image is scanned with no vulnerabilities at or above the configured minimum severity",
"CheckType": [
"Identify",
"Vulnerability, patch, and version management"
"Software and Configuration Checks/Vulnerabilities/CVE",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "ecr",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsEcrRepository",
"Description": "Check if ECR image scan found vulnerabilities in the newest image version",
"Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.",
"Description": "**Amazon ECR repositories** are assessed on the most recent pushed image to confirm a vulnerability scan exists, completed successfully, and that no results meet or exceed the configured minimum severity (e.g., `CRITICAL`, `HIGH`, `MEDIUM`).",
"Risk": "Unscanned or high-severity findings in container images expose workloads to exploitation of known CVEs.\n\nAttackers can gain code execution, exfiltrate data, alter services, or disrupt operations, enabling **lateral movement** and supply-chain compromise-impacting **confidentiality**, **integrity**, and **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.geeksforgeeks.org/devops/how-to-manage-image-security-and-vulnerabilities-in-ecr/",
"https://aws.amazon.com/blogs/aws/amazon-inspector-enhances-container-security-by-mapping-amazon-ecr-images-to-running-containers/",
"https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html",
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html",
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html",
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"NativeIaC": "```yaml\n# Enable scan on push so the latest image is automatically scanned\nResources:\n EcrRepository:\n Type: AWS::ECR::Repository\n Properties:\n RepositoryName: <example_resource_name>\n ImageScanningConfiguration:\n ScanOnPush: true # CRITICAL: ensures each pushed image is scanned so the latest has scan results\n```",
"Other": "1. In the AWS Console, go to ECR > Repositories > <example_resource_name>\n2. Click Edit and enable Scan on push, then Save\n3. Rebuild the container image to remove vulnerabilities and push a new tag to the repository\n4. Open the image details and click Scan image (if not auto-scanned)\n5. Confirm Findings show 0 vulnerabilities at or above the required severity",
"Terraform": "```hcl\n# Enable scan on push so the latest image is automatically scanned\nresource \"aws_ecr_repository\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n image_scanning_configuration {\n scan_on_push = true # CRITICAL: ensures each pushed image is scanned so the latest has scan results\n }\n}\n```"
},
"Recommendation": {
"Text": "Open the Amazon ECR console. Then look for vulnerabilities and fix them.",
"Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings"
"Text": "Enable **continuous scanning** for repositories and enforce deployment gates at your policy threshold (e.g., `MEDIUM`+).\n\nRebuild images with patched components and updated bases, keep images minimal, and apply **least privilege**. Use **image signing** and CI/CD checks so only scanned, compliant images can run.",
"Url": "https://hub.prowler.com/check/ecr_repositories_scan_vulnerabilities_in_latest_image"
}
},
"Categories": [],
"Categories": [
"vulnerabilities",
"container-security"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json
View File

@@ -1,31 +1,40 @@
{
"Provider": "aws",
"CheckID": "ecr_repositories_tag_immutability",
"CheckTitle": "ECR repositories should have tag immutability configured",
"CheckTitle": "ECR repository has image tag immutability enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "ecr",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:ecr:{region}:{account-id}:repository/{repository-name}",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsEcrRepository",
"Description": "This control checks whether a ECR repository has tag immutability enabled. The control fails if a ECR repository has tag immutability disabled and passes if tag immutability is set to IMMUTABLE.",
"Risk": "Disabling tag immutability in an ECR repository increases the risk of image tampering by allowing tags to be overridden, which can lead to deploying unintended images and security vulnerabilities.",
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html",
"Description": "Amazon ECR repositories are assessed for **image tag immutability**. Repositories permitting tag updates (`MUTABLE`) are identified; those enforcing immutable tags (such as `IMMUTABLE`) are recognized.",
"Risk": "Mutable tags allow replacing the image behind a trusted tag, undermining release **integrity**. This enables supply-chain injection, unintended rollouts, and backdoored deployments, harming **availability**. Malicious images can exfiltrate data, impacting **confidentiality**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-2",
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html"
],
"Remediation": {
"Code": {
"CLI": "aws ecr put-image-tag-mutability --repository-name <repository-name> --image-tag-mutability IMMUTABLE",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-2",
"Terraform": ""
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECR::Repository\n Properties:\n ImageTagMutability: IMMUTABLE # Critical: enables tag immutability to prevent tag overwrites\n```",
"Other": "1. Open the Amazon ECR console\n2. Go to Repositories (Private) and select the repository\n3. Click Actions > Edit\n4. Set Image tag immutability to Immutable\n5. Click Save",
"Terraform": "```hcl\nresource \"aws_ecr_repository\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n image_tag_mutability = \"IMMUTABLE\" # Critical: enables tag immutability to prevent tag overwrites\n}\n```"
},
"Recommendation": {
"Text": "Enable tag immutability on your ECR repositories to prevent image tags from being overwritten.",
"Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html"
"Text": "Enable **tag immutability** so tags map to a single artifact. Use **versioned tags** per build, block retagging in CI/CD, and apply **least privilege** for push actions. Layer **image signing** and admission controls to run only trusted images. *If exceptions are needed, keep them narrow and monitored.*",
"Url": "https://hub.prowler.com/check/ecr_repositories_tag_immutability"
}
},
"Categories": [],
"Categories": [
"container-security",
"software-supply-chain"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""