ECR Repository Tag Should Be Immutable
More Info:
Ensures ECR repository image tags cannot be overwritten. ECR repositories should be configured to prevent overwriting of image tags to avoid potentially-malicious images from being deployed to live environments.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
CBP
Remediation
Using Console
To remediate the misconfiguration “ECR Repository Tag Should Be Immutable” for AWS using the AWS console, follow these steps:
- Open the Amazon ECR console at https://console.aws.amazon.com/ecr/.
- In the navigation pane, choose the repository that you want to remediate.
- Choose the “Image tags” tab.
- Choose the tag that you want to make immutable.
- Choose “Actions”, and then choose “Edit tag immutability”.
- Choose “Immutable”, and then choose “Save”.
By following these steps, you have successfully remediated the misconfiguration “ECR Repository Tag Should Be Immutable” for AWS using the AWS console.
Using CLI
To remediate the misconfiguration “ECR Repository Tag Should Be Immutable” in AWS using AWS CLI, you can follow the below steps:
- First, you need to create a new ECR repository policy with the rule “ecr:PutImageTagMutability” set to “IMMUTABLE”. You can use the following AWS CLI command to create a new ECR repository policy:
aws ecr set-repository-policy --repository-name <REPOSITORY_NAME> --policy-text '{"rules": [{"rulePriority": 1,"description": "ECR Repository Tag Should Be Immutable","selection": {"tagStatus": "tagged","tagPrefixList": ["latest"]},"action": {"type": "tagMutability","mutability": "IMMUTABLE"}}]}'
Note: Replace <REPOSITORY_NAME> with the name of the ECR repository you want to update.
- Once the new ECR repository policy is created, you need to update the existing ECR repository with the new policy. You can use the following AWS CLI command to update the ECR repository:
aws ecr put-image-tag-mutability --repository-name <REPOSITORY_NAME> --image-tag-mutability IMMUTABLE
Note: Replace <REPOSITORY_NAME> with the name of the ECR repository you want to update.
- After running the above commands, the ECR repository’s tags will be immutable, and no new tags can be created or updated. Any attempt to create or update a tag will result in an error.
By following the above steps, you can remediate the misconfiguration “ECR Repository Tag Should Be Immutable” in AWS using AWS CLI.
Using Python
To remediate the issue of ECR Repository Tag Should Be Immutable in AWS using Python, you can follow the below steps:
- Install the AWS SDK for Python (Boto3) using pip:
pip install boto3
- Create a boto3 ECR client object:
import boto3
ecr_client = boto3.client('ecr')
- Get the list of images in the ECR repository:
repository_name = 'my-ecr-repo'
image_list = ecr_client.list_images(repositoryName=repository_name)['imageIds']
- Iterate through the image list and set the image tag as immutable:
for image in image_list:
image_digest = image['imageDigest']
response = ecr_client.put_image_tag_mutability(
repositoryName=repository_name,
imageTag=image['imageTag'],
imageDigest=image_digest,
imageTagMutability='IMMUTABLE'
)
- Verify that the tag mutability is set to immutable:
image_detail = ecr_client.describe_images(repositoryName=repository_name, imageIds=[{'imageDigest': image_digest}])['imageDetails'][0]
print(image_detail['imageTags'][0])
print(image_detail['imageTagMutability'])
By following these steps, you can remediate the issue of ECR Repository Tag Should Be Immutable in AWS using Python.