Reading the AWS documentation regarding ECR CloudFormation template:
I've not been able to find how to specify the encryption at rest you want. I know by default it uses AES-256. But I want to be able to specify KMS. In simple terms my template looks like this:
Resources:
logicalid:
Type: 'AWS::ECR::Repository'
Properties:
RepositoryName : "repo-name"
ImageScanningConfiguration:
scanOnPush: "true"
ImageTagMutability: "IMMUTABLE"
EncryptionConfiguration:
encryptionType:"KMS"
But EncryptionConfiguration is not a valid option. I assume there must be a way given that the SDK's allow you to specify it:
Any help would be much appreciated. Thanks!
It is not supported yet. KMS encryption for ECR is rather new and CloudFormation does not have this option yet.
The only way would be to create your ECR repo using custom resource in CloudFormation.