⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 AWS → 📁 ECR

🛡️ AWS ECR Repository Image Tag Mutability is set to Mutable🟢

Contextual name: 🛡️ Repository Image Tag Mutability is set to Mutable🟢
ID: /ce/ca/aws/ecr/repository-image-tag-mutability
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS ECR Repository
- 🔌 AWS ECR Repository - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [ECR.2] ECR private repositories should have tag immutability configured
Internal: dec-x-767cce1f

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-767cce1f	1

Description

Open File

Description

This policy identifies AWS ECR Repositories that are not configured with image tag immutability. When enabled, image tag immutability prevents existing image tags from being overwritten by subsequent pushes with the same tag.

Rationale

Setting image tag mutability to IMMUTABLE ensures that a tag, such as my-app:latest or my-app:v1.0, consistently references a specific image digest. This safeguards against accidental or malicious overwrites, which could result in deploying incorrect or vulnerable application versions. Immutable tags provide a reliable and auditable deployment history, facilitating rollbacks and supporting a secure software supply chain.

To selectively allow updates, you can configure Mutable tag exclusions or Immutable tag exclusions, enabling flexibility for specific use cases while maintaining overall immutability.

Audit

This policy flags an AWS ECR Repository as INCOMPLIANT if its Image Tag Mutability is set to MUTABLE.

Remediation

Open File

Remediation

Configure Image Tag Mutability

Setting image tags to immutable helps prevent accidental overwrites of container images, enhancing security and ensuring consistency in your deployments.

From AWS CLI
aws ecr put-image-tag-mutability \
    --repository-name {{repository-name}} \
    --image-tag-mutability {{IMMUTABLE | IMMUTABLE_WITH_EXCLUSION | MUTABLE_WITH_EXCLUSION}} \
    --image-tag-mutability-exclusion-filters filterType=WILDCARD,filter=latest
IMMUTABLE_WITH_EXCLUSION: Prevents overwrites except for specified exclusions.

MUTABLE_WITH_EXCLUSION: Allows overwrites but can make certain tags immutable.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECR.2] ECR private repositories should have tag immutability configured		1	1	no data
💼 Cloudaware Framework → 💼 System Configuration			35	no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	28	no data
💼 FedRAMP High Security Controls → 💼 CM-8(1) Updates During Installation and Removal (M)(H)			2	no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			27	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		28	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-8(1) Updates During Installation and Removal (M)(H)			2	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			23	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		27	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-8(1) System Component Inventory _ Updates During Installation and Removal			2	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Configure Image Tag Mutability​

From AWS CLI​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

Remediation

Remediation

Configure Image Tag Mutability

From AWS CLI

policy.yaml

Linked Framework Sections