Prevent (and save money in the process) Security Hub findings related to old ECR images scanned

Checking Security Hub after setting it up, I found a ton of findings related to old ECR images I had in my repo.

If you never did it, the moment is now, and if you are starting to create your ECR repo, you better implement this!

As we know, creating an ECR repo in terraform it’s as simple as:

resource "aws_ecr_repository" "ecr" {

name = “my-testing-repo”

image_scanning_configuration {

scan_on_push = true

}

}

You provide a name for the repo and choose to scan your images every time you push a new one to the repo. This way you add a last security check to find vulnerabilities in the docker you will deploy.

But, if you don’t provide a lifecycle policy for the images in the repo you will be storing outdated images and increasing your bills!

You can delete old images based on how long they've been in your repository, or limit the number of images to a number that works for you.

In terraform:

resource "aws_ecr_lifecycle_policy" "foopolicy" {

repository = aws_ecr_repository.ecr.name

policy = file("${path.module}/ecr_lifecycle.json")

}

The policy will have the following format:

{

"rules": [

{

"rulePriority": integer,

"description": "string",

"selection": {

"tagStatus": "tagged"|"untagged"|"any",

"tagPrefixList": list<string>,

"countType": "imageCountMoreThan"|"sinceImagePushed",

"countUnit": "string",

"countNumber": integer

},

"action": {

"type": "expire"

}

}

]

}

If the image is untagged or you choose any for tagStatus, the tagPrefixList parameter is not needed.

If countType is set to imageCountMoreThan, you also specify countNumber to create a rule that sets a limit on the number of images that exist in your repository.

{

"rules": [

{

"rulePriority": 1,

"description": "Keep last 4 images",

"selection": {

"tagStatus": "any",

"countType": "imageCountMoreThan",

"countNumber": 4

},

"action": {

"type": "expire"

}

}

]

}

If countType is set to sinceImagePushed, you also specify countUnit and countNumber to specify a time limit on the images that exist in your repository.

{

"rules": [

{

"rulePriority": 1,

"description": "Expire images older than 14 days",

"selection": {

"tagStatus": "untagged",

"countType": "sinceImagePushed",

"countUnit": "days",

"countNumber": 14

},

"action": {

"type": "expire"

}

}

]

}

Lourdes Dorado

Cloud Engineer

Teracloud

If you want to know more about Cost Optimization, we suggest going check Cost Optimization on AWS: 10 Tips to Save Money To learn more about cloud computing, visit our blog for first-hand insights from our team. If you need an AWS-certified team to deploy, scale, or provision your IT resources to the cloud seamlessly, send us a message here