Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · ECR

ECR.3: ECR repos grow without lifecycle cleanup

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub ECR.3 check?

ECR.3 checks that a private ECR repository has at least one lifecycle policy. It reports FAILED when no lifecycle policy is configured, so images accumulate without any pruning.

Why does ECR.3 matter?

A repository with no lifecycle policy grows without bound — untagged layers and stale builds pile up, raising storage cost and, more importantly, leaving old known-vulnerable images sitting around to be pulled by mistake. A priority-ordered policy keeps the registry to images you actually run.

How do I fix ECR.3?

  1. Inventory a repository's image distribution to see untagged and stale-prefix builds.
  2. Write a priority-ordered lifecycle policy that prunes untagged images, expires stale-prefix images, and caps the count of recent tagged images.
  3. Preview the deletions, then attach the policy with put-lifecycle-policy.
  4. Add a Config rule or SCP so repositories without a policy are caught.

Remediation script · bash

# Find versioned S3 buckets that have no lifecycle configuration.
for b in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do
  ver=$(aws s3api get-bucket-versioning --bucket "$b" --query Status --output text 2>/dev/null)
  if [ "$ver" = "Enabled" ] && ! aws s3api get-bucket-lifecycle-configuration --bucket "$b" >/dev/null 2>&1; then
    echo "S3.10 FAIL: $b (versioned, no lifecycle)"
  fi
done

# Apply an S3 lifecycle config that tiers and expires noncurrent versions and clears failed uploads.
aws s3api put-bucket-lifecycle-configuration \
  --bucket ci-build-artifacts --lifecycle-configuration file://lifecycle.json

# Preview an ECR policy before applying it, then attach it.
aws ecr start-lifecycle-policy-preview \
  --repository-name services/checkout-api --lifecycle-policy-text file://ecr-policy.json
aws ecr put-lifecycle-policy \
  --repository-name services/checkout-api --lifecycle-policy-text file://ecr-policy.json

Full walkthrough (console steps, edge cases and verification) in the lesson Configure lifecycle and versioning policies.

Full lesson Configure lifecycle and versioning policies Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for ECR controls ↗ Check your own account for ECR.3 →
Part of the learning path Cut your storage bill

More ECR controls

  • ECR.1 Container images are not scanned on push
  • ECR.2 Mutable image tags can be swapped under you