Profile Applicability:

  • Level 1

Description:

Amazon Elastic Container Registry (ECR) allows you to store and manage Docker container images. One important feature is tag immutability, which ensures that container image tags cannot be overwritten once they are set. Enabling tag immutability in ECR repositories ensures that once an image version is tagged, it cannot be modified or overwritten, providing an additional layer of security by preventing malicious or accidental changes to production images.

Rationale:

  • Security: Tag immutability protects the integrity of the image tags, preventing malicious users or systems from replacing or modifying critical container images.

  • Operational Integrity: By preventing the overwriting of tags, you ensure that the same image version is used consistently across environments.

  • Compliance: Many security frameworks require that images deployed to production environments are verified and cannot be changed post-deployment, making this feature important for compliance.

Impact:

Pros:

  • Enhanced Security: Prevents unauthorized changes to tagged images, ensuring that production images remain unchanged.

  • Consistent Deployments: Ensures that the same image version is used across multiple environments, reducing the risk of discrepancies.

  • Auditability: Makes it easier to audit the history of images deployed, ensuring accountability and traceability.

Cons:

  • Flexibility: Once a tag is immutable, it cannot be overwritten, which may cause issues if you need to re-tag or update an image under that tag.

  • Operational Overhead: If a mistake is made and the wrong image is tagged, you must remove the tag and push a new version, which may require additional steps.

Default Value:

By default, ECR repositories do not have tag immutability enabled. This must be explicitly configured during repository setup or updated after the repository is created.

Pre-requisite:

  • AWS IAM Permissions:

    • ecr:PutImageTagMutability

    • ecr:DescribeRepositories

  • AWS CLI installed and configured.

  • ECR Repository should already be created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon ECR under Services.

  3. In the ECR Console, select Repositories.

  4. Choose the repository that you want to check.

  5. Under the Repository details section, locate the Tag immutability setting.

    • If tag immutability is enabled, it will show as "Enabled".

    • If it is not enabled, the setting will be "Not Enabled".

  6. If tag immutability is not enabled, follow the steps in the Implementation Steps to enable it.

Using AWS CLI:

  1. To check if tag immutability is enabled for a repository, run the following command:

    aws ecr describe-repositories --repository-names <repository-name> --query 'repositories[*].imageTagMutability'

  2. The output will return:

  • "MUTABLE" if tag immutability is not enabled.

  • "IMMUTABLE" if tag immutability is enabled.

  1. If tag immutability is not enabled, follow the Implementation Steps to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon ECR.

  2. In the ECR Console, select the repository for which you want to enable tag immutability.

  3. Under the Repository details section, click on Edit.

  4. In the Tag Immutability section, select Enable tag immutability.

  5. Save the changes to enable tag immutability for the repository.

Using AWS CLI:

  1. To enable tag immutability for a repository, run the following command:

    aws ecr put-image-tag-mutability --repository-name <repository-name> --image-tag-mutability IMMUTABLE

  2. To verify that tag immutability is enabled, run:

    aws ecr describe-repositories --repository-names <repository-name> --query 'repositories[*].imageTagMutability'

Backout Plan:

Using AWS Console:

  1. If enabling tag immutability causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon ECR, select the repository, and go to Edit.

  3. Disable tag immutability by selecting the MUTABLE option.

  4. Save the changes and verify that tag immutability is no longer applied.

Using AWS CLI:

  1. To disable tag immutability for a repository, run the following command:

    aws ecr put-image-tag-mutability --repository-name <REPOSITORY_NAME> --image-tag-mutability MUTABLE --region <REGION>

  2. Verify that tag immutability is now disabled by describing the repository:

    aws ecr describe-repositories --repository-names <REPOSITORY_NAME> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.