top of page

Prevent (and save money in the process) Security Hub findings related to old ECR images scanned



 

Checking Security Hub after setting it up, I found a ton of findings related to old ECR images I had in my repo.



If you never did it, the moment is now, and if you are starting to create your ECR repo, you better implement this!


As we know, creating an ECR repo in terraform it’s as simple as:



resource "aws_ecr_repository" "ecr" {

name = “my-testing-repo”

image_scanning_configuration {

scan_on_push = true

}

}


You provide a name for the repo and choose to scan your images every time you push a new one to the repo. This way you add a last security check to find vulnerabilities in the docker you will deploy.


But, if you don’t provide a lifecycle policy for the images in the repo you will be storing outdated images and increasing your bills!


You can delete old images based on how long they've been in your repository, or limit the number of images to a number that works for you.


In terraform:



resource "aws_ecr_lifecycle_policy" "foopolicy" {

repository = aws_ecr_repository.ecr.name

policy = file("${path.module}/ecr_lifecycle.json")

}



The policy will have the following format:


{

"rules": [

{

"rulePriority": integer,

"description": "string",

"selection": {

"tagStatus": "tagged"|"untagged"|"any",

"tagPrefixList": list<string>,

"countType": "imageCountMoreThan"|"sinceImagePushed",

"countUnit": "string",

"countNumber": integer

},

"action": {

"type": "expire"

}

}

]

}



If the image is untagged or you choose any for tagStatus, the tagPrefixList parameter is not needed.


If countType is set to imageCountMoreThan, you also specify countNumber to create a rule that sets a limit on the number of images that exist in your repository.


{

"rules": [

{

"rulePriority": 1,

"description": "Keep last 4 images",

"selection": {

"tagStatus": "any",

"countType": "imageCountMoreThan",

"countNumber": 4

},

"action": {

"type": "expire"

}

}

]

}



If countType is set to sinceImagePushed, you also specify countUnit and countNumber to specify a time limit on the images that exist in your repository.


{

"rules": [

{

"rulePriority": 1,

"description": "Expire images older than 14 days",

"selection": {

"tagStatus": "untagged",

"countType": "sinceImagePushed",

"countUnit": "days",

"countNumber": 14

},

"action": {

"type": "expire"

}

}

]

}






Lourdes Dorado


Cloud Engineer


Teracloud







If you want to know more about Cost Optimization, we suggest going check Cost Optimization on AWS: 10 Tips to Save Money

 

If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇 



Entradas recientes
Buscar por tags
Síguenos
  • Twitter Basic Square
bottom of page