Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: ECR repositories should have at least one lifecycle policy configured

This rule specifies the requirement for ECR repositories to have a lifecycle policy in place.

RuleECR repositories should have at least one lifecycle policy configured
FrameworkAWS Foundational Security Best Practices
Severity
Medium

Rule Description:

This rule ensures that all Elastic Container Registry (ECR) repositories have at least one lifecycle policy configured. This is aligned with AWS Foundational Security Best Practices, as lifecycle policies help automate container image management, including image retention and deletion, ensuring efficient and secure container deployment.

Remediation Steps:

To configure a lifecycle policy for an ECR repository, follow the steps below:

  1. 1.

    Open the AWS Management Console and navigate to the Amazon Elastic Container Registry (ECR) service.

  2. 2.

    Select the desired ECR repository that needs a lifecycle policy.

  3. 3.

    Click on the "Lifecycle policies" tab in the repository details.

  4. 4.

    If no lifecycle policy exists, click on the "Create lifecycle policy" button.

  5. 5.

    Define the rules for the lifecycle policy based on your requirements. You can choose to specify a selection rule that matches specific images or use the default rule to apply to all images in the repository.

  6. 6.

    Specify the actions you want to perform on the selected images. These actions include transitioning images to different repositories, expiring images after a specific period, or permanently deleting them.

  7. 7.

    Review the lifecycle policy configuration and ensure it aligns with your intended image management strategy.

  8. 8.

    Click "Save" to apply the lifecycle policy to the ECR repository.

Troubleshooting Steps:

If you encounter any issues while configuring the lifecycle policy, consider the following troubleshooting steps:

  1. 1.

    Permissions: Ensure that the IAM user or role you are using to configure the lifecycle policy has the necessary permissions to access and modify ECR repositories. Check if the user or role has the

    AmazonEC2ContainerRegistryFullAccess
    policy attached.

  2. 2.

    Repository Selection Rule: If you are using a specific selection rule, double-check if it accurately matches the images you want to apply the lifecycle policy to. Verify that the rule's filters (tag status, tag key, tag value) are correctly specified and aligned with your image criteria.

  3. 3.

    Actions: Review the actions defined in your lifecycle policy. Ensure that they are appropriate for your image management needs, taking into consideration retention periods, transitions, and deletions. Make adjustments as necessary.

  4. 4.

    Lifecycle Policy Limitations: Be aware that there are certain limitations when configuring lifecycle policies. For example, you cannot create a lifecycle policy that transitions images to a repository in a different AWS account. Refer to the AWS documentation for further limitations specific to your use case.

AWS CLI Commands:

If you prefer using the AWS Command Line Interface (CLI) to configure lifecycle policies for ECR repositories, the following commands can be used:

  1. 1.
    To create a lifecycle policy:
aws ecr put-lifecycle-policy --repository-name <repository-name> --lifecycle-policy-text file://policy.json

Replace

<repository-name>
with the name of your ECR repository, and
policy.json
with the path to a JSON file containing your lifecycle policy configuration.

  1. 1.
    To describe the lifecycle policy of a repository:
aws ecr describe-lifecycle-policy --repository-name <repository-name>

Replace

<repository-name>
with the name of your ECR repository.

  1. 1.
    To delete a lifecycle policy from a repository:
aws ecr delete-lifecycle-policy --repository-name <repository-name>

Replace

<repository-name>
with the name of your ECR repository.

Note: Ensure that you have the necessary permissions and have configured AWS CLI properly before using these commands.

By following the above steps and utilizing the relevant AWS CLI commands, you can ensure that all ECR repositories within your AWS environment have at least one lifecycle policy configured, promoting efficient and secure container image management.

Is your System Free of Underlying Vulnerabilities?
Find Out Now