Skip to main content

aws_ecr resource


This resource is deprecated. Please use one of the following resources instead.

  • aws_ecr_image
  • aws_ecr_images
  • aws_ecr_repository
  • aws_ecr_repositories

Use the aws_ecr InSpec audit resource to test properties of a single AWS Elastic Container Registry.


An aws_ecr resource block declares the tests for a single AWS ECR by repository name.

  describe aws_ecr(repository_name: aws_ecr_name) do
    it                       { should exist }
    its ('repository_name')  { should eq aws_ecr_name }


The ECR repository_name must be provided.

repository*name *(required)_

The name of the repository This can be passed either as a string or as an repository_name: 'value' key-value entry in a hash.


registry_idThe AWS account ID associated with the registry
repository_arnThe Amazon Resource Name of the repository
repository_nameThe name of the repository
repository_uriThe uri of the repository
image_tagsThe tags associated with the image
image_digestA sha256 hash of the image
image_size_in_bytesThe size of the image in bytes.
image_pushed_atThe datetime as a string when the image was uploaded. ‘yyyy-mm-dd hh:mm:ss tz’
image_uploaded_dateThe date as a string when the image was uploaded. ‘yyyy-mm-dd’


Test that an ECR has the correct image properties

  describe aws_ecr(repository_name: aws_ecr_name).images do
    its ('image_tags')          { should include 'latest'}
    its ('image_digest')        { should eq 'sha256:6dce4a9c1635c4c9b6a2b645e6613fa0238182fe13929808ee2258370d0f3497'}
    its ('image_size_in_bytes') { should eq 764234}
    its ('image_uploaded_date') { should eq '2019-06-11'}
    its ('image_pushed_at')     { should eq '2019-06-11 15:08:29 +0100'}


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

  it { should exist }
  it { should_not exist }

AWS Permissions

Your Principal will need the ecr:DescribeRepositories and ecr:DescribeImages actions set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.