For pull through cache repositories, Amazon ECR now supports repository creation templates that can be applied to a registry prefix, such as /external . These templates define default settings, including encryption configuration with a specific KMS key , tag immutability, scan on push, and more. When new cache repositories are auto-created under that prefix, they inherit the template settings automatically.

In this scenario, existing external cache repositories are noncompliant because they use SSE-S3. The company can delete those repositories (removing the noncompliant caches) and configure an ECR repository creation template for the /external prefix that specifies the required customer managed KMS key. As new images are pulled, ECR recreates the cache repositories under that prefix with KMS encryption using the specified key , guaranteeing compliance going forward.

Option A (AWS Config) would only detect noncompliance after creation and cannot enforce encryption at creation time. Option C (SCP) cannot directly control repository encryption properties. Option D misuses EventBridge; KMS cannot be a “target” that retroactively encrypts repositories.

Therefore, using an ECR repository creation template with the desired KMS key is the correct, automatic, and secure solution.