Ensure that ECR image tags are immutable.

You can configure a repository to enable tag mutability to prevent image tags from being overwritten. After the repository is configured for immutable tags, an ImageTagAlreadyExistsException error is returned if you attempt to push an image with a tag that is already in the repository. When tag immutability is enabled for a repository, this affects all tags and you cannot make some tags immutable while others aren't.

Risk Level: High
Cloud Entity: AWS EcrRepository
CloudGuard Rule ID: D9.AWS.AS.08
Covered by Spectral: Yes
Category: Compute


EcrRepository should have imageTagMutability='IMMUTABLE'


From Portal

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region that contains the repository to edit.
  3. In the navigation pane, choose Repositories.
  4. On the Repositories page, choose the Private tab and then select the repository to edit and choose Edit.
  5. For Tag immutability, choose the tag mutability setting for the repository.
  6. Enable the Tag immutability toggle, Save.

From Command Line
To add a policy with required permissions and appropriate condition as needed, run:

aws ecr put-image-tag-mutability --repository-name NAME --image-tag-mutability IMMUTABLE --region us-east-2

From TF
Use the resource 'aws_ecr_repository' and property 'image_tag_mutability' and set it to 'IMMUTABLE'. See below example;

resource "aws_ecr_repository" "myrepo" {
	name                 = "examplerepo"
	image_tag_mutability = "IMMUTABLE"

From CFT
Use the resource 'AWS::ECR::Repository' and property 'ImageTagMutability' and set it to 'IMMUTABLE'. See below example;

Type: AWS::ECR::Repository
ImageTagMutability: "IMMUTABLE"


  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository

AWS EcrRepository

Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset