AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-02-27 · Documentation low

File: securityhub/latest/userguide/ecr-controls.md

Summary

Added new ECR.5 control for KMS encryption of ECR repositories, updated AWS Config rule formatting, and added detailed documentation about KMS encryption requirements.

Security assessment

The change introduces documentation for a new security control related to KMS encryption but does not indicate it is addressing a specific security vulnerability or incident.

Diff

diff --git a/securityhub/latest/userguide/ecr-controls.md
index 243bfb302..faadc6e37 100644
--- a/securityhub/latest/userguide/ecr-controls.md
+++ b/securityhub/latest/userguide/ecr-controls.md
@@ -5 +5 @@
-[ECR.1] ECR private repositories should have image scanning configured[ECR.2] ECR private repositories should have tag immutability configured[ECR.3] ECR repositories should have at least one lifecycle policy configured[ECR.4] ECR public repositories should be tagged
+[ECR.1] ECR private repositories should have image scanning configured[ECR.2] ECR private repositories should have tag immutability configured[ECR.3] ECR repositories should have at least one lifecycle policy configured[ECR.4] ECR public repositories should be tagged[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys
@@ -23 +23 @@ These controls may not be available in all AWS Regions. For more information, se
-**AWS Config rule:** [`ecr-private-image-scanning-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-image-scanning-enabled.html)
+**AWS Config rule:** [ecr-private-image-scanning-enabled](https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-image-scanning-enabled.html)
@@ -47 +47 @@ To configure image scanning for an ECR repository, see [Image scanning](https://
-**AWS Config rule:** [`ecr-private-tag-immutability-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html)
+**AWS Config rule:** [ecr-private-tag-immutability-enabled](https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html)
@@ -71 +71 @@ To create a repository with immutable tags configured or to update the image tag
-**AWS Config rule:** [`ecr-private-lifecycle-policy-configured`](https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html)
+**AWS Config rule:** [ecr-private-lifecycle-policy-configured](https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html)
@@ -114,0 +115,34 @@ To add tags to an ECR public repository, see [Tagging an Amazon ECR public repos
+## [ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys
+
+**Related requirements:** NIST.800-53.r5 SC-12(2), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 SI-7(6), NIST.800-53.r5 AU-9
+
+**Category:** Protect > Data Protection > Encryption of data-at-rest
+
+**Severity:** Medium
+
+**Resource type:** `AWS::ECR::Repository`
+
+**AWS Config rule:** [ecr-repository-cmk-encryption-enabled](https://docs.aws.amazon.com/config/latest/developerguide/ecr-repository-cmk-encryption-enabled.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`kmsKeyArns` |  A list of Amazon Resource Names (ARNs) of AWS KMS keys to include in the evaluation. The control generates a `FAILED` finding if an ECR repository isn't encrypted with a KMS key in the list. |  StringList (maximum of 10 items) |  1–10 ARNs of existing KMS keys. For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` |  No default value  
+  
+This control checks whether an Amazon ECR repository is encrypted at rest with a customer managed AWS KMS key. The control fails if the ECR repository isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation.
+
+By default, Amazon ECR encrypts repository data with Amazon S3 managed keys (SSE-S3), using an AES-256 algorithm. For additional control, you can configure Amazon ECR to encrypt the data with an AWS KMS key (SSE-KMS or DSSE-KMS) instead. The KMS key can be: an AWS managed key that Amazon ECR creates and manages for you and has the alias `aws/ecr`, or a customer managed key that you create and manage in your AWS account. With a customer managed KMS key, you have full control of the key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key.
+
+###### Note
+
+AWS KMS supports cross-account access to KMS keys. If an ECR repository is encrypted with a KMS key that’s owned by another account, this control doesn’t perform cross-account checks when it evaluates the repository. The control doesn’t assess whether Amazon ECR can access and use the key when performing cryptographic operations for the repository.
+
+### Remediation
+
+You can't change the encryption settings for an existing ECR repository. However, you can specify different encryption settings for ECR repositories that you subsequently create. Amazon ECR supports the use of different encryption settings for individual repositories.
+
+For more information about encryption options for ECR repositories, see [Encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the _Amazon ECR User Guide_. For more information about customer managed AWS KMS keys, see [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) in the _AWS Key Management Service Developer Guide_.
+