Skip to content

enforce-immutable-repository

Default Severity: high

Explanation

ECR images should be set to IMMUTABLE to prevent code injection through image mutation.

This can be done by setting image_tab_mutability to IMMUTABLE

Possible Impact

Image tags could be overwritten with compromised images

Suggested Resolution

Only use immutable images in ECR

Insecure Example

The following example will fail the aws-ecr-enforce-immutable-repository check.

 resource "aws_ecr_repository" "bad_example" {
   name                 = "bar"
   image_tag_mutability = "MUTABLE"

   image_scanning_configuration {
     scan_on_push = true
   }
 }

Secure Example

The following example will pass the aws-ecr-enforce-immutable-repository check.

 resource "aws_ecr_repository" "good_example" {
   name                 = "bar"
   image_tag_mutability = "IMMUTABLE"

   image_scanning_configuration {
     scan_on_push = true
   }
 }