github.com/swoldemi/amazon-ecr-image-immutability-check
Advanced tools
Enforce image tag immutability on all Elastic Container Registry repositories within an AWS account
The problem: As of March 2020, AWS Config does not support any custom or native integrations with ECR: https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
The solution: Run a Serverless Application Repository app to automatically remediate and report on incompliant ECR repositories for you!
Prerequisites:
It is recommended that you deploy this Lambda function directly from the AWS Serverless Application Repository. It is also possible to deploy this function using:
This function has been made available in all 18 commercial AWS regions that support AWS SAR. It is also possible to deploy the Lambda function in the GovCloud and China regions, if you have access to those regions.
| Region | Click and Deploy |
|---|---|
| US East (Ohio) (us-east-2) |  |
| US East (N. Virginia) (us-east-1) | |
| US West (N. California) (us-west-1) | |
| US West (Oregon) (us-west-2) | |
| Asia Pacific (Hong Kong) (ap-east-1) | |
| Asia Pacific (Mumbai) (ap-south-1) | |
| Asia Pacific (Seoul) (ap-northeast-2) | |
| Asia Pacific (Singapore) (ap-southeast-1) | |
| Asia Pacific (Sydney) (ap-southeast-2) | |
| Asia Pacific (Tokyo) (ap-northeast-1) | |
| Canada (Central) (ca-central-1) | |
| EU (Frankfurt) (eu-central-1) | |
| EU (Ireland) (eu-west-1) | |
| EU (London) (eu-west-2) | |
| EU (Paris) (eu-west-3) | |
| EU (Stockholm) (eu-north-1) | |
| Middle East (Bahrain) (me-south-1) | |
| South America (Sao Paulo) (sa-east-1) | |
rate(24 hours)).If you would like to retrive notifications of repositories that have image immutability disabled create and subscribe to an SNS topic then pass the ARN of the topic in the SNSTopicARN parameter.
Example message contents (Email subscription):
The amazon-ecr-image-immutability-check Lambda function you deployed found some incompliant ECR repositories:
1. Repository: product-a/service-one
2. Repository: product-a/service-two
3. Repository: custom-internal-nginx
If auto-remediation is enabled, then these repositories will have Image Tag Immutability enabled and are now compliant until changed.
AWS Region: us-east-2
ECR Registry ID: 123456789012
Auto-Remediation: ENABLED
--
If you wish to stop receiving notifications from this topic, please click or visit the link below to unsubscribe:
https://sns.us-east-2.amazonaws.com/unsubscribe.html?SubscriptionArn=arn:aws:sns:us-east-2:123456789012:your-topic-name:random-topic-id&Endpoint=example@example.com
Please do not reply directly to this email. If you have any questions or comments regarding this email, please contact us at https://aws.amazon.com/support
After your specified interval and interval unit (example: rate(5 minutes)), a CloudWatch event will trigger the Lambda function and scan your account for repositories that do not have image tag immutability enabled. If any are found, image tag immutability will be enabled.
Have an idea for a feature to enhance this serverless application? Open an issue or pull request!
This application has been developed, built, and testing against Go 1.13, Go 1.14, the latest version of the Serverless Application Model CLI, and the latest version of the AWS CLI. A Makefile has been provided for convenience.
make check
make test
make build
make sam-package
make sam-deploy
make sam-tail-logs
make destroy
It is also possible to prevent account users from changing the tag immutability setting by not granting them the ecr:PutImageTagMutability action.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for critical projects.
Security News
Rust’s crates.io team is advancing an RFC to add a Security tab that surfaces RustSec vulnerability and unsoundness advisories directly on crate pages.
Security News
/Research
Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.