ECR Rules
These rules identify ECR repositories that are missing lifecycle policies, which causes image storage to grow unbounded over time.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-ECR-1 | Discovery and IaC | ECR Repository Missing Lifecycle Policy |
CLDBRN-AWS-ECR-1
ECR Repository Missing Lifecycle Policy
Scan type: Discovery and IaC
What it checks
Flags ECR repositories that have no lifecycle policy configured. Without a lifecycle policy, every pushed image is retained indefinitely. Active CI/CD pipelines can push dozens of images per day, causing storage to accumulate rapidly.
Why it matters
ECR charges $0.10 per GB per month for storage. A repository receiving 10 image pushes per day, each 500 MB, accumulates 150 GB per month — $15/month from a single repository. Multiply across all repositories in an organization and the cost compounds quickly. Lifecycle policies expire old and untagged images automatically, keeping storage bounded.
What triggers a finding
hasLifecyclePolicy is false for the repository.
How to remediate
Add a lifecycle policy to expire untagged images and limit the number of tagged images retained. A common starting policy:
{
"rules": [
{
"rulePriority": 1,
"description": "Expire untagged images older than 7 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 7
},
"action": { "type": "expire" }
},
{
"rulePriority": 2,
"description": "Keep only last 10 tagged images",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["v"],
"countType": "imageCountMoreThan",
"countNumber": 10
},
"action": { "type": "expire" }
}
]
}
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_ecr_repository, aws_ecr_lifecycle_policy |
| CloudFormation | AWS::ECR::Repository |
See Also
- CLI discover command — scan live ECR repositories
- CLI scan command — scan IaC templates for ECR issues
- SDK Reference — run scans programmatically