Skip to main content


5.1.4 Minimize Container Registries to only those approved (Automated)


This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 2


Containers in your cluster should use only container registries approved by your organization.


Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.


All container images to be deployed to the cluster must be hosted within an approved container image registry.



Update containers to use one of the following default allowed registries:

  • Amazon ECR Public
  • Amazon ECR Private

Alternatively, disable this policy and add a custom compliance policy to cover any additional registries approved by your organization. This can be done by copying the Query of this policy (Query ID: LW_Global_EKS_Config_PodWithNonstandardImageRegistry) and adding/adjusting the registry exclusions (commonly achieved using like string pattern matching).