# ecr-repository-cmk-encryption-enabled
<a name="ecr-repository-cmk-encryption-enabled"></a>

Checks if ECR repository is encrypted at rest using customer-managed KMS key. This rule is NON\$1COMPLIANT if the repository is encrypted using AES256 or the default KMS key ('aws/ecr'). 



**Identifier:** ECR\$1REPOSITORY\$1CMK\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::ECR::Repository

**Trigger type:** Configuration changes

**Amazon Web Services Region:** All supported Amazon regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of KMS key Amazon Resource Names (ARNs) intended to encrypt the ECR repository.

## Amazon CloudFormation template
<a name="w2aac20c16c17b7d647c19"></a>

To create Amazon Config managed rules with Amazon CloudFormation templates, see [Creating Amazon Config Managed Rules With Amazon CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).