You must be logged in to view saved presets
Cloudformation Guard Rules for Amazon ECR
CloudFormation guard rules template for Amazon ECR resources
The following rules are included:
- Image Scan on Push Enabled
- Resource Policy Configured
- KMS Encryption Enabled
- Lifecycle Policy Configured
let ecr_repositories = Resources.*[
Type == "AWS::ECR::Repository"
]
rule ecr_vuln_scan when %ecr_repositories !empty {
%ecr_repositories {
Properties {
ImageScanningConfiguration exists <<ImageScanningConfiguration is not configured (i.e. disabled).>>
when ImageScanningConfiguration exists {
ImageScanningConfiguration {
ScanOnPush == true <<Image scan on push is disabled.>>
}
}
}
}
}
rule ecr_resource_policy when %ecr_repositories !empty {
%ecr_repositories {
Properties {
RepositoryPolicyText exists <<Resource policy is not configured.>>
}
}
}
rule ecr_kms_encryption_enabled when %ecr_repositories !empty {
%ecr_repositories {
Properties {
EncryptionConfiguration exists <<EncryptionConfiguration is not configured (Default is AES256).>>
when EncryptionConfiguration exists {
EncryptionConfiguration {
EncryptionType == "KMS" <<KMS encryption is not enabled.>>
}
}
}
}
}
rule ecr_repository_lifecycle_policies when %ecr_repositories !empty {
%ecr_repositories {
Properties {
LifecyclePolicy exists <<Lifecycle policy is not configured.>>
}
}
}
Actions
Customize Template
* Required field
© 2024 asecurecloud. All rights reserved.