AWS Config Rule: ECR Private Tag Immutability Enabled
ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED
Ryan Ware
Last Update setahun yang lalu
Description: Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled. This rule is NON_COMPLIANT if tag immutability is not enabled for the private ECR repository.
Trigger type: Configuration changes
AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Europe (Spain), China (Ningxia), Europe (Zurich) Region
How to Resolve Manually
The tag immutability setting determines whether the image tags in the repository can be overwritten. When tag immutability is enabled, if an image is pushed to the repository with a tag that already exists, an error will be received. This setting can be changed for a repository at any time.
By default, this setting is disabled when you create your own Repository inside Amazon Elastic Container Registry (ECR). In order to change this settings and resolve this Config Rule manually, you will first need to navigate to the ECR Dashboard within the AWS Console.
From the list of ECR Repositories, find the one which you would like to resolve. Choose Edit repository and under general settings you will see the Tag immutability option. Click this icon to move it from disabled to enabled. This will then enable tag immutability to prevent image tags from being overwritten by subsequent image pushes using the same tag. Disable tag immutability to allow image tags to be overwritten.
You will now be able to see this resource change to COMPLIANT in line with this particular AWS Config Rule.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
