Back to All Checks
Medium ECR Regional

ECR repositories should be encrypted with customer managed AWS KMS keys

NIST 800-53

Description

This control checks whether an Amazon ECR repository is encrypted at rest with a customer managed AWS KMS key. The control fails if the ECR repository isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation.

Remediation

To enable customer managed KMS encryption for your ECR repository, you need to configure the encryption settings when creating or updating the repository.

Steps

  1. Navigate to the Amazon ECR console
  2. Select the repository you want to configure
  3. Choose 'Edit' and go to 'Encryption settings'
  4. Select 'KMS' as the encryption type
  5. Choose a customer managed KMS key from the dropdown
  6. Save the changes to apply the encryption settings

Compliance

NIST 800-53
Start Your Free Security Check