Ensure that ECR repositories are encrypted.

In order to secure your ECR data at rest, make sure you have encrypted your ECR repositories using KMS.

Risk Level: High
Cloud Entity: AWS EcrRepository
CloudGuard Rule ID: D9.AWS.CRY.64
Covered by Spectral: No
Category: Compute


EcrRepository should not have encryptionConfiguration.kmsKey isEmpty()


From Portal
Currently encryption settings for a repository can't be changed once the repository is created, hence create a new repository with enabling encryption and push your current images to it.

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region to create your repository in.
  3. In the navigation pane, choose Repositories.
  4. On the Repositories page, choose the Private tab, and then choose Create repository.
  5. For Visibility settings, verify that Private is selected.
  6. Enter a unique name for your repository.
  7. Enable the KMS Encryption option using the toggle, Create.

From Command Line

  1. Create ECR with AWS Managed CMK
aws ecr create-repository --repository-name encryptedrepo --encryption-configuration encryptionType=KMS
  1. Create ECR with Customer Managed CMK.
aws ecr create-repository --repository-name encryptedrepo --encryption-configuration encryptionType=KMS,kmsKey=KmsKeyARN

From TF
Use the resource 'aws_ecr_repository' & property 'image_scanning_configuration.scan_on_push' and set it to 'true'

resource "aws_ecr_repository" "myrepo" {
	name= encryptedrepo
	encryption_configuration {
		encryption_type = "KMS"
		kms_key = KmsKeyARN

From CFT
Use the resource 'AWS::ECR::Repository' & property 'ImageScanningConfiguration::ScanOnPush' and set it to 'true'

Type: AWS::ECR::Repository
EncryptionType: KMS
KmsKey: KmsKeyARN


  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/create-repository.html#
  4. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecr-repository-encryptionconfiguration.html

AWS EcrRepository

Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset