Ensure there is a lifecycle policy defined for each Amazon ECR image repository in order to automatically remove untagged and old container images. A lifecycle policy is a set of one or more management rules, where each rule defines an action for Amazon ECR. The actions apply to container images that contain tags prefixed with the given strings.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon Elastic Container Registry (ECR) service transitions and removes container images according to the lifecycle policy that you define. Expiring container images based on age or count allows the automation of cleaning up old and unused images available within your Amazon ECR repositories. You should expect that after creating a lifecycle policy the affected Amazon ECR images are expired within 24 hours.
To determine if your Amazon ECR image repositories are using lifecycle policies to remove untagged and old container images, perform the following actions:
Remediation / Resolution
An Amazon ECR lifecycle policy allows you to create a set of rules that expire unused images. To create and configure lifecycle policies that remove untagged and old images, perform the following actions:Note: As example, this section demonstrates how to implement a lifecycle policy that expires untagged repository images older than 14 days.
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Lifecycle Policy in Use
Risk level: Low