top of page

Prevent (and save money in the process) Security Hub findings related to old ECR images scanned


Checking Security Hub after setting it up, I found a ton of findings related to old ECR images I had in my repo.

If you never did it, the moment is now, and if you are starting to create your ECR repo, you better implement this!

As we know, creating an ECR repo in terraform it’s as simple as:

resource "aws_ecr_repository" "ecr" {

name = “my-testing-repo”

image_scanning_configuration {

scan_on_push = true



You provide a name for the repo and choose to scan your images every time you push a new one to the repo. This way you add a last security check to find vulnerabilities in the docker you will deploy.

But, if you don’t provide a lifecycle policy for the images in the repo you will be storing outdated images and increasing your bills!

You can delete old images based on how long they've been in your repository, or limit the number of images to a number that works for you.

In terraform: