ECR images tags shouldn't be mutable.

Explanation

ECR images should be set to IMMUTABLE to prevent code injection through image mutation.

This can be done by setting image_tab_mutability to IMMUTABLE

Possible Impact

Image tags could be overwritten with compromised images

Suggested Resolution

Only use immutable images in ECR

Insecure Example

The following example will fail the aws-ecr-enforce-immutable-repository check.

resource "aws_ecr_repository" "bad_example" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

Secure Example

The following example will pass the aws-ecr-enforce-immutable-repository check.

resource "aws_ecr_repository" "good_example" {
  name                 = "bar"
  image_tag_mutability = "IMMUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

Getting Started
Provider Checks
Config
GitHub Actions