Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Lifecycle Policy in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: ECR-004

Ensure there is a lifecycle policy defined for each Amazon ECR image repository in order to automatically remove untagged and old container images. A lifecycle policy is a set of one or more management rules, where each rule defines an action for Amazon ECR. The actions apply to container images that contain tags prefixed with the given strings.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation
Operational
excellence

Amazon Elastic Container Registry (ECR) service transitions and removes container images according to the lifecycle policy that you define. Expiring container images based on age or count allows the automation of cleaning up old and unused images available within your Amazon ECR repositories. You should expect that after creating a lifecycle policy the affected Amazon ECR images are expired within 24 hours.

Audit

To determine if your Amazon ECR image repositories are using lifecycle policies to remove untagged and old container images, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon ECR console at https://console.aws.amazon.com/ecr.

03 In the navigation panel, under Amazon ECR, select Repositories to access your ECR image repositories.

04 Click on name of the image repository that you want to examine, available in the Repository name column.

05 In the left navigation panel, under Repositories, choose Lifecycle Policy to access the lifecycle policies associated with the selected repository.

06 On the Lifecycle Policy page, check for any policy rules listed in the Lifecycle policy rules section:

  1. If there are no rules listed in this section, instead the following message is displayed: "No lifecycle policies to display", there are no lifecycle policies created for the selected Amazon ECR image repository.
  2. If one or more rules are listed in the Lifecycle policy rules section, perform the following:
    • Select the lifecycle policy rule that you want to examine and choose Edit.
    • On the Edit lifecycle rule page, check the Image status and Match criteria configuration settings. If Image status setting is not set to Untagged and Match criteria is not set to Since image pushed, the selected lifecycle policy rule is not configured to remove untagged and old images from your image repository. Repeat this step for each lifecycle rule created for the selected Amazon ECR image repository.

07 Repeat steps no. 4 – 6 to check the associated lifecycle policies for other Amazon ECR repositories available within the current AWS region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-repositories command (OSX/Linux/UNIX) to list the names of all Amazon ECR image repositories created in the selected AWS region: 

aws ecr describe-repositories
	--region us-east-1
	--output table
	--query "repositories[*].repositoryName"

02 The command output should return a table with the requested identities (names): 

-------------------------
| DescribeRepositories  |
+-----------------------+
|  cc-docker-web-repo   |
|  cc-production-repo   |
+-----------------------+

03 Run get-lifecycle-policy command (OSX/Linux/UNIX) using the name of the Amazon ECR image repository that you want to examine as identifier parameter, to describe the content of the lifecycle policy created for the selected repository: 

aws ecr get-lifecycle-policy
	--region us-east-1
	--repository-name cc-docker-web-repo
	--query "lifecyclePolicyText"

04 The command output should return the content (i.e. lifecycle rule(s)) of the associated lifecycle policy or an error message:

  • If get-lifecycle-policy command output returns the "LifecyclePolicyNotFoundException", there are no lifecycle policies created for the Amazon ECR image repositories available in the selected AWS region. 
    An error occurred (LifecyclePolicyNotFoundException) when calling the GetLifecyclePolicy operation: Lifecycle policy does not exist for the repository with name 'cc-docker-web-repo' in the registry with id '123456789012'
  • If get-lifecycle-policy command output returns one or more lifecycle rules, check each rule for the following combination of elements: "tagStatus" set to "untagged" and "countType" set to "sinceImagePushed". If none of the lifecycle rules defined for the selected repository have the specified combination of elements, as shown in the example below, the associated lifecycle policy is not configured to remove untagged and old images from the selected Amazon ECR image repository: 
    {
    "rules": [
        {
            "rulePriority": 1,
            "description": "Keep only one untagged image, expire all others",
            "selection": {
                "tagStatus": "untagged",
                "countType": "imageCountMoreThan",
                "countNumber": 1
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}

05 Repeat step no. 3 and 4 to check the associated lifecycle policies for other Amazon ECR repositories available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

An Amazon ECR lifecycle policy allows you to create a set of rules that expire unused images. To create and configure lifecycle policies that remove untagged and old images, perform the following actions:

Note: As example, this section demonstrates how to implement a lifecycle policy that expires untagged repository images older than 14 days.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon ECR console at https://console.aws.amazon.com/ecr.

03 In the navigation panel, under Amazon ECR, select Repositories to access your ECR image repositories.

04 Click on name of the image repository that you want to reconfigure, and choose Lifecycle Policy under Repositories.

05 On the Lifecycle Policy page, click on the Create rule button from the console top menu to initiate the setup process.

06 On the Create lifecycle rule setup page, perform the following:

  1. For Rule priority, specify a unique rule priority. Values do not need to be sequential across rules in a policy.
  2. Provide a short description for your lifecycle policy in the Rule description box.
  3. For Image status choose Untagged to target untagged container images.
  4. For Match criteria choose Since image pushed to select the count type to apply to your images. In the Days box, provide the number of days (for example, 14 days) after which your container images expire and will be deleted.
  5. Ensure that Rule action is set to Expire.
  6. Choose Save to create your new Amazon ECR lifecycle policy rule. After creating a lifecycle policy rule, the affected images are expired within 24 hours.

07 Repeat step no. 4 – 6 to create and configure lifecycle policies for other Amazon ECR image repositories available within the current AWS cloud region.

08 Change the AWS region from the navigation bar to repeat the remediation/resolution process for the other regions.

Using AWS CLI

01 Define the lifecycle rule that will be added to the lifecycle policy associated with your Amazon ECR repository. The following example creates a lifecycle policy rule that removes untagged container images that are older than 14 days. Save the new lifecycle rule content to a JSON file named cc-lifecycle-policy-rule.json: 

{
    "rules": [
        {
            "rulePriority": 1,
            "description": "Expire images older than 14 days.",
            "selection": {
                "tagStatus": "untagged",
                "countType": "sinceImagePushed",
                "countUnit": "days",
                "countNumber": 14
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}

02 Run put-lifecycle-policy command (OSX/Linux/UNIX) using the name of the Amazon ECR image repository that you want to reconfigure as identifier parameter, to attach the lifecycle rule defined at the previous step (i.e. cc-lifecycle-policy-rule.json) to the lifecycle policy associated with the selected repository: 

aws ecr put-lifecycle-policy
	--region us-east-1
	--repository-name cc-docker-web-repo
	--lifecycle-policy-text file://cc-lifecycle-policy-rule.json

03 The output should return the put-lifecycle-policy command request metadata (including the new lifecycle rule): 

{
    "lifecyclePolicyText": "{
        {
            "rules": [
                {
                    "rulePriority": 1,
                    "description": "Expire images older than 14 days.",
                    "selection": {
                        "tagStatus": "untagged",
                        "countType": "sinceImagePushed",
                        "countUnit": "days",
                        "countNumber": 14
                    },
                    "action": {
                        "type": "expire"
                    }
                }
            ]
        }
    }",
    "repositoryName": "cc-docker-web-repo",
    "registryId": "123456789012"
}

04 Repeat step no. 1 – 3 to create and configure lifecycle policies for other Amazon ECR image repositories available in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire remediation/resolution process for other regions.

References

Publication date Dec 14, 2020

Related ECR rules