Profile Applicability:

  • Level 1

Description:

Amazon Elastic Container Registry (ECR) allows for the storage and management of Docker container images. Lifecycle policies in ECR are used to automatically clean up unused or old container images by defining rules that specify when images are to be deleted or transitioned to different storage classes (e.g., moving images to S3). This SOP ensures that ECR repositories are configured with lifecycle policies to automatically manage the retention of images, keeping only necessary or recent images and improving overall repository management.

Rationale:

  • Security: Automatically deleting old or unused container images reduces the risk of exposing outdated or insecure versions.

  • Cost Management: By deleting unnecessary images, organizations can lower storage costs associated with ECR repositories.

  • Best Practices: Implementing lifecycle policies aligns with container image management best practices, ensuring repositories are clean and only retain the necessary images.

Impact:

Pros:

  • Improved Security: Reduces the risk of using outdated or vulnerable container images.

  • Cost-Effective: Helps in managing storage costs by removing unused or old images.

  • Operational Efficiency: Automates the process of cleaning up repositories, reducing the manual effort required.

Cons:

  • Loss of Historical Data: Images marked for deletion by lifecycle policies will be permanently removed, which could cause issues if you need access to older versions.

  • Misconfiguration: Improper configuration of lifecycle policies may accidentally delete images that are still needed.

Default Value:

By default, ECR repositories do not have lifecycle policies enabled. Lifecycle policies must be explicitly configured for each repository.

Pre-requisite:

  • AWS IAM Permissions:

    • ecr:DescribeRepositories

    • ecr:PutLifecyclePolicy

  • AWS CLI installed and configured.

  • ECR Repository created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon ECR under Services.

  3. In the ECR Console, select Repositories.

  4. For each repository, check the Lifecycle Policy section:

    • If a lifecycle policy is enabled, it will display the configured rules (e.g., retention duration, image deletion rules).

    • If lifecycle policies are not configured, it will indicate "No lifecycle policy" or "None".

  5. If lifecycle policies are not enabled, follow the Implementation Steps below to enable them.

Using AWS CLI:

  1. To check if lifecycle policies are enabled for a repository, run the following command:

    aws ecr get-lifecycle-policy --repository-name <repository-name>

  2. The output will show the lifecycle policy rules if they are enabled. If no lifecycle policy is configured, the command will return an empty response.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon ECR.

  2. In the ECR Console, select the repository for which you want to enable lifecycle policies.

  3. Under the Lifecycle policy section, click on Edit policy.

  4. Define the lifecycle policy based on your image retention requirements (e.g., delete images older than 30 days, retain only the last 10 images, etc.).

  5. Save the lifecycle policy configuration.

Using AWS CLI:

  1. To create or modify a lifecycle policy for an ECR repository, use the following command:

    aws ecr put-lifecycle-policy \
  --repository-name <repository-name> \
  --lifecycle-policy-text '{
    "rules": [
      {

        "rulePriority": 1,
        "description": "Retain images for 30 days",
        "selection": {
          "tagStatus": "any",
          "countType": "imageCountMoreThan",
          "countNumber": 10
        },
        "action": {
          "type": "expire"
        }
      }
    ]
  }'

  1. This will create a policy that deletes images older than 30 days and retains only the latest 10 images. Adjust the policy according to your organization's needs.

  2. After applying the policy, verify it by running:

    aws ecr get-lifecycle-policy --repository-name <repository-name>

Backout Plan:

Using AWS Console:

  1. If lifecycle policies cause issues or need to be reverted, sign in to the AWS Management Console.

  2. Navigate to Amazon ECR, select the repository, and go to Edit lifecycle policy.

  3. Remove or modify the lifecycle policy based on your needs.

  4. Save the changes and verify that the lifecycle policy has been updated or removed.

Using AWS CLI:

  1. To remove a lifecycle policy, use the following command:

    aws ecr delete-lifecycle-policy --repository-name <REPOSITORY_NAME> --region <REGION>

  2. Verify that the lifecycle policy is removed by describing the repository:

    aws ecr get-lifecycle-policy --repository-name <REPOSITORY_NAME> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.