Skip to main content

aws_ecr resource


This resource is deprecated. Please use one of the following resources instead.

  • aws_ecr_image
  • aws_ecr_images
  • aws_ecr_repository
  • aws_ecr_repositories

Use the aws_ecr InSpec audit resource to test properties of a single AWS Elastic Container Registry.


An aws_ecr resource block declares the tests for a single AWS ECR by repository name.

  describe aws_ecr(repository_name: aws_ecr_name) do
    it                       { should exist }
    its ('repository_name')  { should eq aws_ecr_name }


The ECR repository_name must be provided.

repository*name *(required)_

The name of the repository This can be passed either as a string or as an repository_name: 'value' key-value entry in a hash.


registry_idThe AWS account ID associated with the registry
repository_arnThe Amazon Resource Name of the repository
repository_nameThe name of the repository
repository_uriThe uri of the repository
image_tagsThe tags associated with the image
image_digestA sha256 hash of the image
image_size_in_bytesThe size of the image in bytes.
image_pushed_atThe datetime as a string when the image was uploaded. ‘yyyy-mm-dd hh:mm:ss tz’
image_uploaded_dateThe date as a string when the image was uploaded. ‘yyyy-mm-dd’


Test that an ECR has the correct image properties

  describe aws_ecr(repository_name: aws_ecr_name).images do
    its ('image_tags')          { should include 'latest'}
    its ('image_digest')        { should eq 'sha256:6dce4a9c1635c4c9b6a2b645e6613fa0238182fe13929808ee2258370d0f3497'}
    its ('image_size_in_bytes') { should eq 764234}
    its ('image_uploaded_date') { should eq '2019-06-11'}
    its ('image_pushed_at')     { should eq '2019-06-11 15:08:29 +0100'}


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

  it { should exist }
  it { should_not exist }

AWS Permissions

Your Principal will need the ecr:DescribeRepositories and ecr:DescribeImages actions set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.

Was this page helpful?