v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3 ECR repositories should have at least one lifecycle policy configured

Description

This control checks whether an Amazon ECR repository has at least one lifecycle policy configured. This control fails if an ECR repository does not have any lifecycle policies configured.

Amazon ECR lifecycle policies enable you to specify the lifecycle management of images in a repository. By configuring lifecycle policies, you can automate the cleanup of unused images and the expiration of images based on age or count. Automating these tasks can help you avoid unintentionally using outdated images in your repository.

Remediation

To configure a lifecycle policy, see Creating a lifecycle policy preview in the Amazon Elastic Container Registry User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ecr_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ecr_3 --share

SQL

This control uses a named query:

ecr_repository_lifecycle_policy_configured

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resource_configuration
foundational_security_item_id = ecr_3
plugin = aws
service = AWS/ECR