For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/ecr_image_tag_not_immutable.md. A documentation index is available at /llms.txt.

ECR image tag not immutable

This product is not supported for your selected Datadog site. ().

Metadata

Id: 60bfbb8a-c72f-467f-a6dd-a46b7d612789

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

ECR repositories should enforce immutable image tags to prevent tags from being overwritten. Allowing mutable tags can enable accidental or malicious replacement of images, facilitating supply-chain tampering or execution of unexpected code. For Ansible tasks using the community.aws.ecs_ecr or ecs_ecr modules, the image_tag_mutability property must be defined and set to the literal string "immutable". Resources missing this property or set to any other value are flagged.

Secure Ansible task example:

- name: Create ECR repository with immutable tags
  community.aws.ecs_ecr:
    name: my-repo
    image_tag_mutability: immutable
    state: present

Compliant Code Examples

- name: create immutable ecr-repo v4
  community.aws.ecs_ecr:
    name: super/cool
    image_tag_mutability: immutable

Non-Compliant Code Examples

- name: create immutable ecr-repo
  community.aws.ecs_ecr:
    name: super/cool
- name: create immutable ecr-repo v2
  community.aws.ecs_ecr:
    name: super/cool
    image_tag_mutability: mutable