HIGH
Source
Trivy/CSPM
CSPM ID
ecr-repository-tag-immutability
ID
AVD-AWS-0031

ECR images tags shouldn’t be mutable.

ECR images should be set to IMMUTABLE to prevent code injection through image mutation.

This can be done by setting image_tab_mutability to IMMUTABLE

Impact

Image tags could be overwritten with compromised images

Follow the appropriate remediation steps below to resolve the issue.

Only use immutable images in ECR

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageTagMutability: IMMUTABLE
      ImageScanningConfiguration:
        ScanOnPush: false
      EncryptionConfiguration:
        EncryptionType: KMS
        KmsKey: "alias/ecr-key"

Only use immutable images in ECR

1
2
3
4
5
6
7
8
resource "aws_ecr_repository" "good_example" {
  name                 = "bar"
  image_tag_mutability = "IMMUTABLE"
  
  image_scanning_configuration {
    scan_on_push = true
  }
}