Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automated Scanning for Amazon ECR Container Images

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ECR-003

Enable automated scanning of Amazon ECR container images to identify and address security vulnerabilities promptly. Scanning Amazon ECR container images ensures early detection of security vulnerabilities, helping to protect your applications from potential threats and maintain compliance.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The security of your container workloads in Amazon ECR is crucial. Image scanning is as essential step in this process, allowing you to detect vulnerabilities in both Operating Systems and programming languages without needing to set up your own scanning infrastructure or purchase third-party software. For repositories, Amazon ECR offers the Scan on Push feature, which automatically scans your container images after they are pushed to the repository. For registries, Amazon ECR provides two scanning levels: basic and enhanced. The basic level, enabled by default, uses the Common Vulnerabilities and Exposures (CVEs) database from the Clair project to detect vulnerabilities and generate a list of findings for remediation. The enhanced level, which must be manually enabled, uses Amazon Inspector to offer automated, continuous scanning. This feature also sends notifications via EventBridge when new vulnerabilities are discovered. To maximize your security posture, we strongly recommend enabling automated scanning for Amazon ECR container images. By doing so, you'll ensure that any vulnerabilities are detected and addressed before they can impact your applications.

Audit

To determine if automated scanning is enabled for your Amazon ECR container images, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ECR console available at https://console.aws.amazon.com/ecr/.

03 To check for Amazon ECR image scanning at the repository level, perform the following actions:

  1. In the left navigation panel, under Private registry, select Repositories to access your private repositories.
  2. Select the private image repository that you want to examine, choose Actions, and select Summary under View.
  3. In the Repository details section, check the Scan frequency attribute value to determine the current status of the Scan on Push feature. If Scan frequency is set to Manual, your container images are not automatically scanned for vulnerabilities when are pushed to the selected Amazon ECR repository.
  4. Repeat steps no. 2 and 3 to determine the Scan on Push feature status for each private ECR image repository available in the current AWS region.

04 To check for Amazon ECR image scanning at the registry level, perform the following operations:

  1. In the left navigation panel, under Private registry, select Settings to access the configuration settings available for your private registry.
  2. In the Scanning section, check the Scan type attribute value to identify the scanning level configured for your private registry. If Scan type is set to Basic, basic scanning is enabled, therefore, your container images are not automatically scanned for vulnerabilities before getting pushed to production.

05 If Scan on Push feature is not enabled at the repository level (step 3) and Enhanced Scanning is not enabled at the registry level (step 4), your Amazon ECR container images are not automatically and continuously scanned for vulnerabilities.

06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 To check for Amazon ECR image scanning at the repository level, run the following commands:

  1. Run describe-repositories command (OSX/Linux/UNIX) to list the names of all private ECR image repositories created in the selected AWS cloud region: 
    aws ecr describe-repositories
  --region us-east-1
  --output table
  --query "repositories[*].repositoryName"
  2. The command output should return a table with the requested repository names: 
    ---------------------------------
|     DescribeRepositories      |
+-------------------------------+
|  project5/cc-docker-web-repo  |
|  project5/cc-production-repo  |
+-------------------------------+
  3. Run describe-repositories command (OSX/Linux/UNIX) with the name of the private ECR image repository that you want to examine as the identifier parameter and custom output filters to get the status of the Scan on Push feature available for the selected repository: 
    aws ecr describe-repositories
  --region us-east-1
  --repository-names project5/cc-docker-web-repo
  --query "repositories[*].imageScanningConfiguration.scanOnPush"
  4. The command output should return the Scan on Push security feature status: 
    [
	false
]

    If the feature status returned by the describe-repositories command output is false, as shown in the output example above, your container images are not automatically scanned for vulnerabilities when are pushed to the selected Amazon ECR repository.
  5. Repeat steps no. 3 and 4 to determine the Scan on Push feature status for each private ECR image repository available in the selected AWS region.

02 To check for Amazon ECR image scanning at the registry level, run the following commands:

  1. Run get-registry-scanning-configuration command (OSX/Linux/UNIX) with custom output filters to determine the scanning level configured for your private registry: 
    aws ecr get-registry-scanning-configuration
  --region us-east-1
  --query "scanningConfiguration.scanType"
  2. The command output should return the scanning type configured for your private registry: 
    "BASIC"

    If the scanning level returned by the describe-repositories command output is BASIC", basic scanning is enabled, therefore, your container images are not automatically scanned for vulnerabilities before getting pushed to production.

03 If Scan on Push feature is not enabled at the repository level (step 1) and Enhanced Scanning is not enabled at the registry level (step 2), your Amazon ECR container images are not automatically and continuously scanned for vulnerabilities.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Audit process for other regions.

Remediation / Resolution

To enable automated, continuous vulnerability scanning for your Amazon ECR container images, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ECR console available at https://console.aws.amazon.com/ecr/.

03 To enable automated vulnerability scanning at the repository level, perform the following actions:

  1. In the left navigation panel, under Private registry, select Repositories to access your private repositories.
  2. Select the private image repository that you want to configure, choose Actions, and select Repository under Edit.
  3. In the Image scanning settings section, toggle the On/Off button available under Scan on push to enable the Scan on Push feature and have each container image automatically scanned after being pushed to the selected Amazon ECR repository. Choose Update to apply the configuration changes.
  4. Repeat steps no. 2 and 3 to determine the Scan on Push feature status for each private ECR image repository available in the current AWS region.

04 To enable automated, continuous vulnerability scanning at the registry level, perform the following operations:

  1. In the left navigation panel, under Private registry, select Settings to access the configuration settings available for your private registry.
  2. Choose Edit from the Scanning section and perform the following actions to enable automated scanning:
    1. For Scan type choose Enhanced scanning.
    2. For Continuous scanning filters, check the Continuously scan all repositories setting checkbox. When this option is selected, all of your image repositories are continuously scanned.
    3. To confirm acknowledgment of the additional costs, check the I understand enhanced scanning has additional cost checkbox.

05 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 To enable automated vulnerability scanning at the repository level, run the following commands:

  1. Run put-image-scanning-configuration command (OSX/Linux/UNIX) with the name of the private ECR image repository that you want to configure as the identifier parameter, to enable the Scan on Push feature and have each container image automatically scanned for vulnerabilities after being pushed to your repository: 
    aws ecr put-image-scanning-configuration
  --region us-east-1
  --repository-name project5/cc-docker-web-repo
  --image-scanning-configuration scanOnPush=true
  2. The command output should return the name of the configured repository and the Scan on Push feature status: 
    {
	"registryId": "975050274289",
	"repositoryName": "project5/cc-docker-web-repo",
	"imageScanningConfiguration": {
		"scanOnPush": true
	}
}
  3. Repeat steps no. 1 and 2 to enable the Scan on Push feature for other Amazon ECR image repositories deployed in the selected AWS cloud region.

02 To enable automated, continuous vulnerability scanning at the registry level, run the following commands:

  1. Run put-registry-scanning-configuration command (OSX/Linux/UNIX) to enable Enhanced Scanning for your private Amazon ECR registry. By default, when no rules are specified with the --rules command parameter, Amazon ECR sets the scanning configuration to continuous scanning for all repositories: 
    aws ecr put-registry-scanning-configuration
  --region us-east-1
  --scan-type ENHANCED
  2. The command output should return the scanning configuration information available for your private registry: 
    {
	"registryScanningConfiguration": {
		"scanType": "ENHANCED",
		"rules": [
			{
				"scanFrequency": "CONTINUOUS_SCAN",
				"repositoryFilters": [
					{
						"filter": "*",
						"filterType": "WILDCARD"
					}
				]
			}
		]
	}
}

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the Remediation process for other AWS regions.

References

Publication date Oct 28, 2020

Related ECR rules