ECR Repository Not Encrypted With CMK
- Query id: 77a92b0e-b578-4a2e-bb0d-3c53ec4cfb7e
- Query name: ECR Repository Not Encrypted With CMK
- Platform: CloudFormation
- Severity: Low
- Category: Encryption
- CWE: 311
- Risk score: 1.0
- URL: Github
Description¶
ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "test-repository",
"ImageScanningConfiguration": {
"ScanOnPush": false
}
}
}
}
}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
ecrepo:
Type: AWS::ECR::Repository
Properties:
ImageScanningConfiguration:
ScanOnPush: false
EncryptionConfiguration:
EncryptionType: KMS_DSSE
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "test-repository",
"ImageScanningConfiguration": {
"ScanOnPush": false
},
"EncryptionConfiguration": {
"EncryptionType": "AES256",
"KmsKey": "arn:aws:kms:123456789012:key/your-custom-key-id"
}
}
}
}
}
Positive test num. 4 - json file
Positive test num. 5 - json file
Positive test num. 6 - json file
Positive test num. 7 - yaml file
Positive test num. 8 - yaml file
Positive test num. 9 - yaml file
Positive test num. 10 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "test-repository",
"ImageScanningConfiguration": {
"ScanOnPush": false
},
"EncryptionConfiguration": {
"EncryptionType": "KMS_DSSE",
"KmsKey": "arn:aws:kms:123456789012:key/your-custom-key-id"
}
}
}
}
}