Skip to main content

πŸ›‘οΈ AWS ECR Repository Lifecycle Policy is not configured🟒

  • Contextual name: πŸ›‘οΈ Repository Lifecycle Policy is not configured🟒
  • ID: /ce/ca/aws/ecr/repository-lifecycle
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: COST, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-9a0607d91

Description​

Open File

Description​

This policy identifies AWS ECR Repositories that do not have a lifecycle policy configured. A lifecycle policy is a set of rules that automates the management of images in a repository, helping to clean up old or unused images.

Rationale​

Configuring a lifecycle policy is a best practice for managing container images in ECR. It helps to:

  • Reduce Storage Costs: Automatically removes old or untagged images, preventing them from accumulating and incurring unnecessary storage charges.
  • Improve Repository Hygiene: Keeps repositories clean and makes it easier to find relevant images.
  • Avoid Hitting Service Quotas: Prevents reaching the maximum number of images allowed per repository.

Audit​

This policy flags an AWS ECR Repository as INCOMPLIANT if its Lifecycle Policy Text JSON is empty.

Remediation​

Open File

Remediation​

Configure Lifecycle Policy​

Create and apply a lifecycle policy to your Amazon ECR repository. A lifecycle policy contains one or more rules that define the cleanup actions for the images in your repository.

From AWS CLI​

  1. Create a JSON file named {{lifecycle-policy}}.json with the rules for your policy. For example:

    {
        "rules": [
            {
                "rulePriority": 1,
                "description": "Expire images older than 14 days",
                "selection": {
                    "tagStatus": "untagged",
                    "countType": "sinceImagePushed",
                    "countUnit": "days",
                    "countNumber": 14
                },
                "action": {
                    "type": "expire"
                }
            }
        ]
    }

  2. Apply the lifecycle policy to your repository:

    aws ecr put-lifecycle-policy \
        --repository-name {{repository-name}} \
        --lifecycle-policy-text file://{{lifecycle-policy}}.json

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16c information security operations and administration;44no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36h patch management controls β€” to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner;77no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 40 An important aspect of information asset life-cycle management involves minimising vulnerabilities and maintaining support. Information security exposures could arise from hardware and software which is outdated or has limited or no support (whether through a third party, a related party or in-house). Technology that is end-of-life5 , out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer, or is unable, to be updated to address new threats.77no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECR.3] ECR repositories should have at least one lifecycle policy configured11no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SUS04-BP03 Use policies to manage the lifecycle of your datasets2no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Resource Optimization25no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration56no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3147no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)22no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)45no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)347no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)22no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks54no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration746no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency22no data