ECR Repository Not Encrypted With CMK
- Query id: 0e32d561-4b5a-4664-a6e3-a3fa85649157
- Query name: ECR Repository Not Encrypted With CMK
- Platform: Terraform
- Severity: Low
- Category: Encryption
- URL: Github
Description¶
ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_ecr_repository" "foo" {
name = "bar"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
}
resource "aws_ecr_repository" "fooX" {
name = "barX"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
encryption_configuration {
encryption_type = "AES256"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_ecr_repository" "foo2" {
name = "bar"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
encryption_configuration {
encryption_type = "KMS"
kms_key = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}