Ensure that Amazon ECR image repositories are using lifecycle policies.

Amazon ECR lifecycle policies provide more control over the lifecycle management of images in a private repository. A lifecycle policy contains one or more rules, where each rule defines an action for Amazon ECR. This provides a way to automate the cleaning up of your container images by expiring images based on age or count. You should expect that after creating a lifecycle policy, the affected images are expired within 24 hours. When Amazon ECR performs an action based on a lifecycle policy, this is captured as an event in AWS CloudTrail.

Suggest Edits

Risk Level: Low
Cloud Entity: AWS EcrRepository
CloudGuard Rule ID: D9.AWS.OPE.24
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcrRepository should not have lifecyclePolicy.document isEmpty()

REMEDIATION

From Portal

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region that contains the repository for which to create a lifecycle policy.
  3. In the navigation pane, choose Repositories.
  4. On the Repositories page, on the Private tab, select a repository to view the repository image list.
  5. On the repository image list view, in the left navigation pane, choose Lifecycle Policy.
  6. On the repository lifecycle policy page, choose Create rule.
    7 Enter the following details for your lifecycle policy rule.
    a) For Rule priority, type a number for the rule priority.
    b) For Rule description, type a description for the lifecycle policy rule.
    c) For Image status, choose Tagged, Untagged, or Any.
    d) If you specified Tagged for Image status, then for Tag prefixes, you can optionally specify a list of image tags on which to take action with your lifecycle policy. If you specified Untagged, this field must be empty.
    e) For Match criteria, choose values for Since image pushed or Image count more than (if applicable).
  7. Choose Save.
  8. Create additional lifecycle policy rules by repeating steps 5-7.

From TF
Use the resource "aws_ecr_lifecycle_policy" to configure replication. check below example for untagged images.

resource "aws_ecr_lifecycle_policy" "examplepolicy" {
	repository = example_repository
	
	policy = <<EOF
	{
		"rules": [
		{
			"rulePriority": 1,
			"description": "Expire images older than 14 days",
			"selection": {
				"tagStatus": "untagged",
				"countType": "sinceImagePushed",
				"countUnit": "days",
				"countNumber": 14
			},
			"action": {
				"type": "expire"
			}
		}
		]
	}
	EOF
}

From Command Line

  1. Create a local file named policy.json with the contents of the lifecycle policy. Check the link in reference for example policies.
  2. Create a lifecycle policy by specifying the repository name and reference the lifecycle policy JSON file you created.
aws ecr put-lifecycle-policy --repository-name repository-name --lifecycle-policy-text file://policy.json

References

  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html
  2. https://docs.aws.amazon.com/AmazonECR/latest/userguide/lp_creation.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_replication_configuration

AWS EcrRepository

Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS ISO27001:2022
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago