Skip to content

cfsec

ECR images tags shouldn't be mutable.

aquasecurity/cfsec

enforce-immutable-repository

Explanation

ECR images should be set to IMMUTABLE to prevent code injection through image mutation.

This can be done by setting image_tab_mutability to IMMUTABLE

Possible Impact

Image tags could be overwritten with compromised images

Suggested Resolution

Only use immutable images in ECR

Insecure Example

The following example will fail the AVD-AWS-0031 check.

---
Resources:
  BadExample:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageScanningConfiguration:
        ScanOnPush: false

Secure Example

The following example will pass the AVD-AWS-0031 check.

---
Resources:
  GoodExample:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageTagMutability: IMMUTABLE
      ImageScanningConfiguration:
        ScanOnPush: false
      EncryptionConfiguration:
        EncryptionType: KMS
        KmsKey: "alias/ecr-key"

https://sysdig.com/blog/toctou-tag-mutability/