enforce-immutable-repository
Default Severity: high
Explanation
ECR images should be set to IMMUTABLE to prevent code injection through image mutation.
This can be done by setting image_tab_mutability
to IMMUTABLE
Possible Impact
Image tags could be overwritten with compromised images
Suggested Resolution
Only use immutable images in ECR
Insecure Example
The following example will fail the aws-ecr-enforce-immutable-repository check.
resource "aws_ecr_repository" "bad_example" {
name = "bar"
image_tag_mutability = "MUTABLE"
image_scanning_configuration {
scan_on_push = true
}
}
Secure Example
The following example will pass the aws-ecr-enforce-immutable-repository check.
resource "aws_ecr_repository" "good_example" {
name = "bar"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
}