AWS ECR replication configuration for private registry is not configured Affecting ECR service in AWS

Snyk CCSS

Availability/ Replication

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk IDSNYK-CC-00763
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Lack of replication configuration for AWS ECR private registries can lead to regional data unavailability and potential business continuity issues. Cross-region replication is essential to ensure that container images are available in multiple regions for failover and redundancy purposes. This also aids in reducing latency for global applications by having images stored closer to compute resources.

How to fix?

Set the region and registry_id attributes in the replication_configuration.rule.destination attribute in the aws_ecr_replication_configuration resource.

Example Configuration

data "aws_caller_identity" "current" {}

resource "aws_ecr_replication_configuration" "example" {
  replication_configuration {
    rule {
      destination {
        region      = "ap-northeast-3"
        registry_id = data.aws_caller_identity.current.account_id
      }

      destination {
        region      = "eu-west-2"
        registry_id = data.aws_caller_identity.current.account_id
      }
    }
  }
}

Terraform

aws_ecr_replication_configuration