aws-ecr-tags-mutable

Ensure ECR Image Tags are immutable

Examples

Insecure Example

Terraform

resource "aws_ecr_repository" "tags_mutability" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"         # Mutable by default

  image_scanning_configuration {
    scan_on_push = true
  }
}

CloudFormation

AWSTemplateFormatVersion: "2010-09-09"
Resources: 
  MyRepo: 
    Type: AWS::ECR::Repository
    Properties: 
      RepositoryName: "mutable-repository"
      ImageTagMutability: "MUTABLE"        # Mutable by default

Secure Example

Terraform

resource "aws_ecr_repository" "tags_mutability" {
  name                 = "bar"
  image_tag_mutability = "IMMUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

CloudFormation

AWSTemplateFormatVersion: "2010-09-09"
Resources: 
  MyRepo: 
    Type: AWS::ECR::Repository
    Properties: 
      RepositoryName: "immutable-repository"
      ImageTagMutability: "IMMUTABLE"

More information

• AWS Docs
• Terraform Docs
• Cloudformation Docs