Repository Customer Key | Vulnerability Database

ECR Repository should use customer managed keys to allow more control

Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Use customer managed keys

1
2
3
4
5
6
7
8


Resources:
  GoodExample:
    Type: AWS::ECR::Repository
    Properties:
      EncryptionConfiguration:
        EncryptionType: KMS
        KmsKey: alias/ecr-key
      RepositoryName: test-repository

Remediation Links

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-encryptionconfiguration

Use customer managed keys

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


resource "aws_kms_key" "ecr_kms" {
  enable_key_rotation = true
}

resource "aws_ecr_repository" "good_example" {
  name = "bar"
  encryption_configuration {
    encryption_type = "KMS"
    kms_key         = aws_kms_key.ecr_kms.key_id
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration