Skip to content

Terraform AWS ECR

ECR repositories with image scanning, immutable tags, KMS encryption, lifecycle policies, repository policies, replication, and controlled push and pull access.

2 controls enforced8 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "ecr" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "cis.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "cisv600.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "nis2.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

module "ecr" {
  source  = "soc2.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "ecr" {
  source  = "terraform-aws-modules/ecr/aws"
  version = "1.0"
}

module "ecr" {
  source  = "soc2.compliance.tf/terraform-aws-modules/ecr/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "ecr" {
  source  = "terraform-aws-modules/ecr/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML3-6.4: Patch operating systems ML3

Application Security

Infrastructure protection

Security foundations

RA-5: Vulnerability Scanning

SI-2(5): Automatic Software And Firmware Updates

PR.PS-06

11.3.1: External and internal vulnerabilities are regularly identified, prioritized, and addressed.

11.3.1.2: External and internal vulnerabilities are regularly identified, prioritized, and addressed.

11.3.1.3: 3 Internal vulnerability scans are performed after any significant change

11.3.1.3: External and internal vulnerabilities are regularly identified, prioritized, and addressed.

3.1.a Identification and Classification of Information Assets

CC7.1: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlNIST Cybersecurity Framework v2.0ACSC Essential EightAWS Well-Architected Framework v10FedRAMP Moderate Baseline Rev 4NIST SP 800-53 Rev 5PCI DSS v4.0RBI IT Framework for NBFCsSOC 2
ECR repositories should have image scan on push enabled
ECR private repositories should have tag immutability configured

Showing top 8 frameworks by coverage. All framework endpoints →