Skip to main content

Triage AWS ECR Repositories should have a lifecycle policy configured IMAGE_LIFECYCLE_POLICY_NOT_ENABLED

  1. Configure AWS ECR Repositories should have a lifecycle policy configured
  2. Use Case for AWS ECR Repositories should have a lifecycle policy configured
  3. Triage Guides by Violation Type
    1. Triage AWS ECR Repositories should have a lifecycle policy configured IMAGE_LIFECYCLE_POLICY_NOT_ENABLED

Triage Guide for IMAGE_LIFECYCLE_POLICY_NOT_ENABLED

0. Understand

Why should I care about fixing this issue?

Without a lifecycle policy, your ECR repository may accumulate outdated or unused images, leading to increased storage costs and potential non-compliance with organizational policies.

1. Validate

How am I sure that this alert is true and accurate?

  • Data Source: This policy checks the lifecycle policy of the ECR repository using the GetLifecyclePolicy API.
  • Manual Retrieval: You can manually verify the lifecycle policy by running the aws ecr get-lifecycle-policy --repository-name <your-repo-name> command.
  • Reactive: This policy is reactive and triggers based on the current configuration of the ECR repository.

2. Triage

What is the impact if it is unfixed?

  • Increased storage costs due to unused images.
  • Potential non-compliance with organizational data retention policies.

Does this problem get worse over time if it is unaddressed?

  • Yes, as more images are added without a lifecycle policy, storage costs will continue to rise.

Can remediation cause outages or downtime to any other running service?

  • No, enabling a lifecycle policy will not cause downtime, but be cautious to configure it correctly to avoid accidental deletion of necessary images.

3. Act

What do I do to fix this alarm?

  1. Review the lifecycle policy requirements for your organization.
  2. Use the AWS Management Console or AWS CLI to create and apply a lifecycle policy to your ECR repository.
    • Example CLI command: aws ecr put-lifecycle-policy --repository-name <your-repo-name> --lifecycle-policy-text <policy-text>
  3. Verify that the policy is applied correctly by running the aws ecr get-lifecycle-policy --repository-name <your-repo-name> command.

4. Reflect

What should I do if this alarm wasn't a good use of time?

  • Adjust the lifecycle policy thresholds or disable the policy if it does not align with your organizational needs.