Amazon Elastic Container Registry (Amazon ECR)
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. Amazon Elastic Container Registry (Amazon ECR)

      ECR Repository Tag Immutability

      This plugin prevents image tags in the ECR repository from being overwritten

      Risk Level: Low

      Description: 

      This plugin prevents image tags in the ECR repository from being overwritten. To minimise potentially harmful pictures being distributed to live environments, ECR repositories should be set to restrict overwriting of image tags.

      PingSafe strongly recommends updating ECR registry configurations to ensure image tag mutability is set to immutable.

      About the Service :

      Amazon's ECR private registries provide highly accessible and scalable container images. You may use your own private registry to manage private image repositories made out of images and artefacts from the Docker and Open Container Initiative (OCI). A default Amazon ECR registry is given for each AWS account.

      Impact : 

      To prevent image tags from being overwritten, you may make a repository immutable. If you try to push an image with a tag that already exists in the repository after it has been set for immutable tags, an ImageTagAlreadyExistsException exception is thrown.

      Steps to reproduce :

      1. Log in to AWS Console.
      2. Navigate to the ECS dashboard.
        https://us-east-2.console.aws.amazon.com/ecs/ 
      3. Click on “Repositories” in the left navigation panel under Amazon ECR.
      4. Look at the image repository that you want to examine.
      5. Check if the Tag Immutability section. If it is referred to as Disabled. Then it means that overwriting of image tags can happen.
      6. Repeat the steps for the rest of the Amazon ECR repositories available within the current region.

      Steps for remediation :

      1. Log in to AWS Console.
      2. Navigate to the ECS dashboard.
        https://us-east-2.console.aws.amazon.com/ecs/ 
      3. Click on “Repositories” in the left navigation panel under Amazon ECR.
      4. Look at the image repository that you want to examine.
      5. Check if the Tag Immutability section. If it is referred to as Disabled. Then it means that overwriting of image tags can happen.
      6. Select the image repository that you want to edit and click on Edit.
      7. Click on the Tag mutability and turn it to enabled and then click Save.
      8. Repeat the steps for the rest of the Amazon ECR repositories available within the current region.

      References: