Skip to main content

⭐ Repository β†’ πŸ“ Compliance Engine β†’ πŸ“ CloudAware β†’ πŸ“ AWS β†’ πŸ“ ECR

πŸ›‘οΈ AWS ECR Repository Lifecycle Policy is not configured🟒

  • Contextual name: πŸ›‘οΈ Repository Lifecycle Policy is not configured🟒
  • ID: /ce/ca/aws/ecr/repository-lifecycle
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: COST, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-9a0607d91

Description​

Open File

Description​

This policy identifies AWS ECR Repositories that do not have a lifecycle policy configured. A lifecycle policy is a set of rules that automates the management of images in a repository, helping to clean up old or unused images.

Rationale​

Configuring a lifecycle policy is a best practice for managing container images in ECR. It helps to:

  • Reduce Storage Costs: Automatically removes old or untagged images, preventing them from accumulating and incurring unnecessary storage charges.
  • Improve Repository Hygiene: Keeps repositories clean and makes it easier to find relevant images.
  • Avoid Hitting Service Quotas: Prevents reaching the maximum number of images allowed per repository.

Audit​

This policy flags an AWS ECR Repository as INCOMPLIANT if its Lifecycle Policy Text JSON is empty.

Remediation​

Open File

Remediation​

Configure Lifecycle Policy​

Create and apply a lifecycle policy to your Amazon ECR repository. A lifecycle policy contains one or more rules that define the cleanup actions for the images in your repository.

From AWS CLI​

  1. Create a JSON file named {{lifecycle-policy}}.json with the rules for your policy. For example:

    {
        "rules": [
            {
                "rulePriority": 1,
                "description": "Expire images older than 14 days",
                "selection": {
                    "tagStatus": "untagged",
                    "countType": "sinceImagePushed",
                    "countUnit": "days",
                    "countNumber": 14
                },
                "action": {
                    "type": "expire"
                }
            }
        ]
    }

  2. Apply the lifecycle policy to your repository:

    aws ecr put-lifecycle-policy \
        --repository-name {{repository-name}} \
        --lifecycle-policy-text file://{{lifecycle-policy}}.json

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16c information security operations and administration;44no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36h patch management controls β€” to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner;77no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 40 An important aspect of information asset life-cycle management involves minimising vulnerabilities and maintaining support. Information security exposures could arise from hardware and software which is outdated or has limited or no support (whether through a third party, a related party or in-house). Technology that is end-of-life5 , out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer, or is unable, to be updated to address new threats.77no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECR.3] ECR repositories should have at least one lifecycle policy configured11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Resource Optimization24no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3128no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)16no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)27no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)328no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks23no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration727no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency16no data