ECR Image Tag Not Immutable

• Query id: 60bfbb8a-c72f-467f-a6dd-a46b7d612789
• Query name: ECR Image Tag Not Immutable
• Platform: Ansible
• Severity: Medium
• Category: Insecure Configurations
• URL: Github

Description

ECR should have an image tag be immutable. This prevents image tags from being overwritten.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: create immutable ecr-repo
  community.aws.ecs_ecr:
    name: super/cool
- name: create immutable ecr-repo v2
  community.aws.ecs_ecr:
    name: super/cool
    image_tag_mutability: mutable

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: create immutable ecr-repo v4
  community.aws.ecs_ecr:
    name: super/cool
    image_tag_mutability: immutable