ECR Repository should use customer managed keys to allow more control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | ecr |
| Provider | AWS |
Description#
The ECR repository relies on AWS-managed encryption keys instead of a customer-managed KMS key, limiting control over encryption settings such as key rotation and access policies. This setup does not provide fine-grained management of encrypted container images.
Impact#
Without customer-managed keys, security teams cannot enforce custom key rotation schedules or strict access controls. If the AWS-managed key is compromised or misused, there is limited ability to respond, increasing the risk of unauthorized access to sensitive container images.
Resolution#
Use customer managed keys