diff --git a/pkg/config/config.go b/pkg/config/config.go
index 3dabc717..a4bb860d 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -97,7 +97,7 @@ type ImageScanningConfiguration struct {
 }
 
 type EncryptionConfiguration struct {
-	EncryptionType string `yaml:"encryptionType"`
+	EncryptionType string `yaml:"encryptionType" validate:"oneof=KMS AES256"`
 	KmsKey         string `yaml:"kmsKey"`
 }
 
@@ -140,6 +140,9 @@ func CheckRegistryConfiguration(r Registry) error {
 		if r.AWS.AccountID == "" {
 			return errorWithType(`requires a field "accountdId"`)
 		}
+		if r.AWS.ECROptions.EncryptionConfiguration.EncryptionType == "KMS" && r.AWS.ECROptions.EncryptionConfiguration.KmsKey == "" {
+			return errorWithType(`requires a field "kmsKey" if encryptionType is set to "KMS"`)
+		}
 	case types.RegistryGCP:
 		if r.GCP.Location == "" {
 			return errorWithType(`requires a field "location"`)
@@ -160,4 +163,5 @@ func SetViperDefaults(v *viper.Viper) {
 	v.SetDefault("Target.Type", "aws")
 	v.SetDefault("Target.AWS.ECROptions.ImageScanningConfiguration.ImageScanOnPush", true)
 	v.SetDefault("Target.AWS.ECROptions.ImageTagMutability", "MUTABLE")
+	v.SetDefault("Target.AWS.ECROptions.EncryptionConfiguration.EncryptionType", "AES256")
 }
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
index 779dffe7..ed10f129 100644
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -29,6 +29,9 @@ func TestConfigParses(t *testing.T) {
 							ImageScanningConfiguration: ImageScanningConfiguration{
 								ImageScanOnPush: true,
 							},
+							EncryptionConfiguration: EncryptionConfiguration{
+								EncryptionType: "AES256",
+							},
 						},
 					},
 				},
@@ -51,6 +54,9 @@ source:
 							ImageScanningConfiguration: ImageScanningConfiguration{
 								ImageScanOnPush: true,
 							},
+							EncryptionConfiguration: EncryptionConfiguration{
+								EncryptionType: "AES256",
+							},
 						},
 					},
 				},
@@ -90,6 +96,9 @@ target:
 							ImageScanningConfiguration: ImageScanningConfiguration{
 								ImageScanOnPush: true,
 							},
+							EncryptionConfiguration: EncryptionConfiguration{
+								EncryptionType: "AES256",
+							},
 							Tags: []Tag{
 								{
 									Key:   "CreatedBy",
@@ -128,6 +137,9 @@ source:
 							ImageScanningConfiguration: ImageScanningConfiguration{
 								ImageScanOnPush: true,
 							},
+							EncryptionConfiguration: EncryptionConfiguration{
+								EncryptionType: "AES256",
+							},
 						},
 					},
 				},
@@ -176,6 +188,9 @@ target:
 							ImageScanningConfiguration: ImageScanningConfiguration{
 								ImageScanOnPush: true,
 							},
+							EncryptionConfiguration: EncryptionConfiguration{
+								EncryptionType: "AES256",
+							},
 							ImageTagMutability: "MUTABLE",
 							Tags: []Tag{
 								{
diff --git a/pkg/registry/ecr.go b/pkg/registry/ecr.go
index e651159d..c456b5ed 100644
--- a/pkg/registry/ecr.go
+++ b/pkg/registry/ecr.go
@@ -104,8 +104,17 @@ func (e *ECRClient) CreateRepository(ctx context.Context, name string) error {
 
 	log.Ctx(ctx).Debug().Str("repository", name).Msg("create repository")
 
+	encryptionConfiguration := &ecr.EncryptionConfiguration{
+		EncryptionType: aws.String(e.options.EncryptionConfiguration.EncryptionType),
+	}
+
+	if e.options.EncryptionConfiguration.EncryptionType == "KMS" {
+		encryptionConfiguration.KmsKey = aws.String(e.options.EncryptionConfiguration.KmsKey)
+	}
+
 	_, err := e.client.CreateRepositoryWithContext(ctx, &ecr.CreateRepositoryInput{
-		RepositoryName: aws.String(name),
+		RepositoryName:          aws.String(name),
+		EncryptionConfiguration: encryptionConfiguration,
 		ImageScanningConfiguration: &ecr.ImageScanningConfiguration{
 			ScanOnPush: aws.Bool(e.options.ImageScanningConfiguration.ImageScanOnPush),
 		},
@@ -326,6 +335,7 @@ func NewMockECRClient(ecrClient ecriface.ECRAPI, region string, ecrDomain string
 		options: config.ECROptions{
 			ImageTagMutability:         "MUTABLE",
 			ImageScanningConfiguration: config.ImageScanningConfiguration{ImageScanOnPush: true},
+			EncryptionConfiguration:    config.EncryptionConfiguration{EncryptionType: "AES256"},
 			Tags:                       []config.Tag{{Key: "CreatedBy", Value: "k8s-image-swapper"}, {Key: "AnotherTag", Value: "another-tag"}},
 		},
 	}
diff --git a/pkg/webhook/image_swapper_test.go b/pkg/webhook/image_swapper_test.go
index 66bfcaef..66612ac0 100644
--- a/pkg/webhook/image_swapper_test.go
+++ b/pkg/webhook/image_swapper_test.go
@@ -245,6 +245,9 @@ func TestImageSwapper_Mutate(t *testing.T) {
 				ImageScanningConfiguration: &ecr.ImageScanningConfiguration{
 					ScanOnPush: aws.Bool(true),
 				},
+				EncryptionConfiguration: &ecr.EncryptionConfiguration{
+					EncryptionType: aws.String("AES256"),
+				},
 				ImageTagMutability: aws.String("MUTABLE"),
 				RepositoryName:     aws.String(expectedRepository),
 				RegistryId:         aws.String("123456789"),
@@ -307,6 +310,9 @@ func TestImageSwapper_MutateWithImagePullSecrets(t *testing.T) {
 			ImageScanningConfiguration: &ecr.ImageScanningConfiguration{
 				ScanOnPush: aws.Bool(true),
 			},
+			EncryptionConfiguration: &ecr.EncryptionConfiguration{
+				EncryptionType: aws.String("AES256"),
+			},
 			ImageTagMutability: aws.String("MUTABLE"),
 			RegistryId:         aws.String("123456789"),
 			RepositoryName:     aws.String("docker.io/library/nginx"),