AWS Security Hub · ECR
ECR.2: Mutable image tags can be swapped under you
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub ECR.2 check?
ECR.2 checks that a private ECR repository has tag immutability enabled. It reports FAILED when tags are mutable, meaning an existing tag can be overwritten to point at a different image.
Why does ECR.2 matter?
Mutable tags are a supply-chain risk: an attacker or a careless pipeline can push a new image over an existing tag like :latest, so the digest you scanned and approved is not the one that runs. Immutability locks each tag to a single immutable digest, so what you tested is exactly what deploys.
How do I fix ECR.2?
- Inventory repositories with mutable tags across the account.
- Move pipelines off :latest and onto immutable commit-SHA tags first, so flipping the flag does not break deploys.
- Enable tag immutability with put-image-tag-mutability set to IMMUTABLE.
- Prevent regressions with AWS Config and an SCP.
Remediation script · bash
# Flip every MUTABLE repo in the current account/region to IMMUTABLE in one pass.
aws ecr describe-repositories \
--query "repositories[?imageTagMutability=='MUTABLE'].repositoryName" \
--output text \
| tr '\t' '\n' \
| while read repo; do
echo "Flipping $repo"
aws ecr put-image-tag-mutability \
--repository-name "$repo" \
--image-tag-mutability IMMUTABLE
done
# Verify the change took effect.
aws ecr describe-repositories \
--query "repositories[?imageTagMutability=='MUTABLE'].repositoryName"Full walkthrough (console steps, edge cases and verification) in the lesson Enable ECR tag immutability.
Is ECR.2 a false positive?
If a pipeline relies on re-pushing :latest, enabling immutability will break it — retag your build process to commit-SHA tags before flipping the flag, not after.