Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
CloudFormation guard rules template for Amazon ECR resources
The following rules are included:
let ecr_repositories = Resources.*[
Type == "AWS::ECR::Repository"
]
rule ecr_vuln_scan when %ecr_repositories !empty {
%ecr_repositories {
Properties {
ImageScanningConfiguration exists <<ImageScanningConfiguration is not configured (i.e. disabled).>>
when ImageScanningConfiguration exists {
ImageScanningConfiguration {
ScanOnPush == true <<Image scan on push is disabled.>>
}
}
}
}
}
rule ecr_resource_policy when %ecr_repositories !empty {
%ecr_repositories {
Properties {
RepositoryPolicyText exists <<Resource policy is not configured.>>
}
}
}
rule ecr_kms_encryption_enabled when %ecr_repositories !empty {
%ecr_repositories {
Properties {
EncryptionConfiguration exists <<EncryptionConfiguration is not configured (Default is AES256).>>
when EncryptionConfiguration exists {
EncryptionConfiguration {
EncryptionType == "KMS" <<KMS encryption is not enabled.>>
}
}
}
}
}
rule ecr_repository_lifecycle_policies when %ecr_repositories !empty {
%ecr_repositories {
Properties {
LifecyclePolicy exists <<Lifecycle policy is not configured.>>
}
}
}