diff --git a/pkg/config/config.go b/pkg/config/config.go
index 3dabc717..c28ba643 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -97,7 +97,7 @@ type ImageScanningConfiguration struct {
 }
 
 type EncryptionConfiguration struct {
-	EncryptionType string `yaml:"encryptionType"`
+	EncryptionType string `yaml:"encryptionType" validate:"oneof=KMS AWS256"`
 	KmsKey         string `yaml:"kmsKey"`
 }
 
@@ -140,6 +140,9 @@ func CheckRegistryConfiguration(r Registry) error {
 		if r.AWS.AccountID == "" {
 			return errorWithType(`requires a field "accountdId"`)
 		}
+		if r.AWS.ECROptions.EncryptionConfiguration.EncryptionType == "KMS" && r.AWS.ECROptions.EncryptionConfiguration.KmsKey == "" {
+			return errorWithType(`requires a field "kmsKey" if encryptionType is set to "KMS"`)
+		}
 	case types.RegistryGCP:
 		if r.GCP.Location == "" {
 			return errorWithType(`requires a field "location"`)
@@ -160,4 +163,5 @@ func SetViperDefaults(v *viper.Viper) {
 	v.SetDefault("Target.Type", "aws")
 	v.SetDefault("Target.AWS.ECROptions.ImageScanningConfiguration.ImageScanOnPush", true)
 	v.SetDefault("Target.AWS.ECROptions.ImageTagMutability", "MUTABLE")
+	v.SetDefault("Target.AWS.ECROptions.EncryptionConfiguration.EncryptionType", "AES256")
 }
diff --git a/pkg/registry/ecr.go b/pkg/registry/ecr.go
index e651159d..04334fd0 100644
--- a/pkg/registry/ecr.go
+++ b/pkg/registry/ecr.go
@@ -104,8 +104,17 @@ func (e *ECRClient) CreateRepository(ctx context.Context, name string) error {
 
 	log.Ctx(ctx).Debug().Str("repository", name).Msg("create repository")
 
+	encryptionConfiguration := &ecr.EncryptionConfiguration{
+		EncryptionType: aws.String(e.options.EncryptionConfiguration.EncryptionType),
+	}
+
+	if e.options.EncryptionConfiguration.EncryptionType == "KMS" {
+		encryptionConfiguration.KmsKey = aws.String(e.options.EncryptionConfiguration.KmsKey)
+	}
+
 	_, err := e.client.CreateRepositoryWithContext(ctx, &ecr.CreateRepositoryInput{
-		RepositoryName: aws.String(name),
+		RepositoryName:          aws.String(name),
+		EncryptionConfiguration: encryptionConfiguration,
 		ImageScanningConfiguration: &ecr.ImageScanningConfiguration{
 			ScanOnPush: aws.Bool(e.options.ImageScanningConfiguration.ImageScanOnPush),
 		},