Skip to content

ECR image tags are not immutable

Description

Amazon ECR supports immutable tags, preventing image tags from being overwritten. In the past, ECR tags could have been overwritten, this could be overcome by requiring users to uniquely identify an image using a naming convention.

Tag Immutability enables users can rely on the descriptive tags of an image as a mechanism to track and uniquely identify images. By setting an image tag as immutable, developers can use the tag to correlate the deployed image version with the build that produced the image.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon ECR console.
  3. Select a repository using the radio button.
  4. Click Edit.
  5. Enable the Tag immutability toggle.

CLI Command

To create a repository with immutable tags configured:

aws ecr create-repository
--repository-name name
--image-tag-mutability IMMUTABLE
--region us-east-2

Fix - Buildtime

Terraform

  • Resource: aws_ecr_repository
  • Arguments: image_tag_mutability - (Optional) The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE. 
resource "aws_ecr_repository" "example" {
  ...
  name                 = "bar"
+ image_tag_mutability = "IMMUTABLE"
}

CloudFormation

  • Resource: AWS::ECR::Repository
  • Arguments: Properties.ImageTagMutability - (Optional) The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE. 
Resources: 
  MyRepository: 
    Type: AWS::ECR::Repository
    Properties: 
      ...
+     ImageTagMutability: "IMMUTABLE"