Ensure that ECR image scan on push is enabled.

Amazon ECR is a fully managed container registry used to store, manage and deploy container images. ECR Image Scanning assesses and identifies operating system vulnerabilities. Using automated image scans you can ensure container image vulnerabilities are found before getting pushed to production. ECR APIs notify if vulnerabilities were found when a scan completes.

Risk Level: High
Cloud Entity: AWS EcrRepository
CloudGuard Rule ID: D9.AWS.CRY.63
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

EcrRepository should have imageScanningConfiguration.scanOnPush=true

REMEDIATION

From Portal

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region that contains the repository to edit.
  3. In the navigation pane, choose Repositories.
  4. On the Repositories page, choose the Private tab and then select the repository to edit and choose Edit.
  5. Enable the Scan on push toggle, save.

From Command Line
Use the command 'put-image-scanning-configuration', which updates the image scanning configuration for the specified repository.

aws ecr put-image-scanning-configuration --repository-name sample-repo --image-scanning-configuration scanOnPush=true

From TF
Use the resource 'aws_ecr_repository' & property 'image_scanning_configuration.scan_on_push' and set it to 'true'

resource "aws_ecr_repository" "myrepo" {
	...
	image_scanning_configuration {
		scan_on_push = true
	}
	...
}

From CFT
Use the resource 'AWS::ECR::Repository' & property 'ImageScanningConfiguration::ScanOnPush' and set it to 'true'

Resources:
ImageScanTrue:
Type: AWS::ECR::Repository
Properties:
...
ImageScanningConfiguration:
ScanOnPush: true
...

References

  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-edit.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/put-image-scanning-configuration.html#

AWS EcrRepository

Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset