ECR repository is not encrypted with customer managed key Affecting ECR service in AWS

Severity Framework Snyk CCSS

Rule category Keys and Secrets / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM GDPR NIST-800-53 SOC-2

Snyk ID SNYK-CC-00299
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

ECR repository is not encrypted with customer managed key.

How to fix?

Set encryption_configuration.kms_key attribute to customer managed KMS key.

Example Configuration

resource "aws_ecr_repository" "secure" {
  name = "secure-example"

  encryption_configuration {
    encryption_type = "KMS"
    kms_key         = "arnsomekey"
  }
}

Terraform

aws_ecr_repository

References

Encryption at rest
AWS KMS Best Practices Whitepaper