Ensure ECR repositories have scan on push enabled

Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. Since a potential security issue may be present, it is important to have your container scanned to validate there are no security issues present. For this reason it is considered a security best practice to not allow tags to be changed.

Audit & Remediation

  • Login into your AWS account
  • Navigate to the ECR service at: https://console.aws.amazon.com/ecr
  • On the ECR main page, pinpoint any Repository name that has Tag immutability set to Disabled.



  • In the top right corner of this window, selectEdit button.
  • In the main panel, under Image scan settings select Enabled and select the Save button a the bottom.



  • Repeat the outlined steps for each repository.
  • Repeat the outlined steps for each region that you have ECR repositories in.
  • Repeat the outlined steps for each AWS account that you have.
See all of your AWS EC2 Instances in a single place!

Do you want to see all of your AWS EC2 Instances in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.


Other Key Features


Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +