---
title: ECR image tag not immutable
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > ECR image tag not immutable
---

# ECR image tag not immutable

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-ecr-image-tag-not-immutable` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html)

### Description{% #description %}

ECR repositories should enforce immutable image tags to prevent tags from being overwritten. Allowing mutable tags can enable accidental or malicious replacement of images, facilitating supply-chain tampering or execution of unexpected code. For Ansible tasks using the `community.aws.ecs_ecr` or `ecs_ecr` modules, the `image_tag_mutability` property must be defined and set to the literal string `"immutable"`. Resources missing this property or set to any other value are flagged.

Secure Ansible task example:

```yaml
- name: Create ECR repository with immutable tags
  community.aws.ecs_ecr:
    name: my-repo
    image_tag_mutability: immutable
    state: present
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create immutable ecr-repo v4
  community.aws.ecs_ecr:
    name: super/cool
    image_tag_mutability: immutable
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: create immutable ecr-repo
  community.aws.ecs_ecr:
    name: super/cool
- name: create immutable ecr-repo v2
  community.aws.ecs_ecr:
    name: super/cool
    image_tag_mutability: mutable
```