Container Image Scanning with Amazon ECR

Amazon Elastic Container Registry (ECR) service provides fully-managed Docker container registry service to store, manage and deploy Docker container images on the AWS Platform. You can store with versioning and it is integrated with Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) for you to deploy registered containers automatically.

Amazon ECR stores container images on Amazon S3, so it inherits all reliability and durability features that Amazon S3 provides.

Without paying anything extra or deploying a third-party scanning tool, you can use Amazon ECR image scanning to scan your Docker container images against Common Vulnerabilities and Exposures (CVEs). Amazon ECR uses the CVE database from the open-source CoreOS Clair project and provides you with a list of scan findings and scores vulnerabilities. Amazon ECR supports static container image scanning for major versions of Amazon Linux, Amazon Linux 2, Debian, Ubuntu, CentOS, Oracle Linux, Alpine, and RHEL Linux distributions.

Configuration

You can either manually trigger the scanning of images that are stored on Amazon ECR or you can configure your container repository to scan images when you push them to the repository.

Manual Scanning

aws ecr start-image-scan --repository-name name --image-id imageTag=tag_name --region us-east-2

On-push Scanning

aws ecr put-image-scanning-configuration --repository-name name --image-scanning-configuration scanOnPush=true --region us-east-2

Assessing Image Findings

You can access scan results and findings from Amazon Management Console or you can retrieve image scan findings via AWS CLI.

You can integrate Amazon ECR with Amazon EventBridge to take auto-actions after the scanning is completed. Amazon EventBridge integration allows you to take auto-remediation actions or send notifications and alerts to users.

Storing Image Findings

If you have any obligation to store the previous scan results, you can use the following AWS Cloudformation script to store finding results on a S3 bucket automatically after every scan.

Cloudformation script is deploying four components: ECR Repository, EventBridge, Lambda function and S3 bucket.

• ECR repository which on-push scan is enabled, you can name your repository using the RepositoryName parameter.
• EventBridge will connect your repository and lambda function to trigger lambda function when the image scanning is completed.
• Lambda function will retrieve the latest scan result and store that on a private S3 bucket that you will name using BucketName parameter.

You can get more information about Amazon ECR Container Image Scanning from following links:

• Amazon ECR: https://aws.amazon.com/ecr/
• Image Scanning / Amazon ECR: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
• Amazon EventBridge: https://aws.amazon.com/eventbridge/
• Amazon ECR Events and EventBridge: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html
• CoreOS Clair: https://github.com/quay/clair
• CVE Database: https://cve.mitre.org

Always remember that security matters, and let us know if you have any feedbacks or questions from, [email protected]