Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Scan on Push for ECR Container Images

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ECR-003

Ensure that all your Amazon ECR container images are automatically scanned for security vulnerabilities and expenses after being pushed to a repository. Scan on Push for Amazon ECR is an automated vulnerability assessment feature that helps you improve the security of your ECR container images by scanning them for a broad range of Operating System (OS) vulnerabilities after being pushed to an ECR repository. The security feature uses the Common Vulnerabilities and Exposures (CVEs) database from Clair, an open source project designed for static analysis of security issues in appc and docker containers.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

For the security and compliance status of your applications it is crucial to detect and respond to Amazon ECR container image vulnerabilities in the early stages of deployment. When Scan on Push security feature is enabled, your container images are automatically scanned after being pushed to your Amazon ECR repository. If Scan on Push is disabled on your repository, then each image scan must be manually started to get scan results.

Audit

To determine if Scan on Push feature is enabled for your Amazon ECR image repositories, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon ECR console at https://console.aws.amazon.com/ecr.

03 In the left navigation panel, under Amazon ECR, select Repositories to access your ECR image repositories.

04 Choose the image repository that you want to examine and check the configuration status available in the Scan on push column to determine the current status of the Scan on Push security feature. If the configuration status is set to Disabled, your container images are not automatically scanned for vulnerabilities when pushed to the selected Amazon ECR repository.

05 Repeat step no. 4 to determine the Scan on Push feature status for other Amazon ECR image repositories available within the current region.

06 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-repositories command (OSX/Linux/UNIX) to list the names of all Amazon ECR image repositories created in the selected AWS region: 

aws ecr describe-repositories
	--region us-east-1
	--output table
	--query "repositories[*].repositoryName"

02 The command output should return a table with the requested identities (names): 

-------------------------
| DescribeRepositories  |
+-----------------------+
|  cc-docker-web-repo   |
|  cc-production-repo   |
+-----------------------+

03 Run describe-repositories command (OSX/Linux/UNIX) using the name of the Amazon ECR image repository that you want to examine as identifier parameter and custom query filters to describe the status of the Scan on Push security feature available for the selected repository: 

aws ecr describe-repositories
	--region us-east-1
	--repository-names cc-docker-web-repo
	--query "repositories[*].imageScanningConfiguration.scanOnPush"

04 The command output should return the requested feature configuration status: 

[
    false
]

If the security feature status returned by the describe-repositories command output is false, as shown in the example above, your container images are not automatically scanned for vulnerabilities when pushed to the selected Amazon ECR repository.

05 Repeat step no. 3 and 4 to determine the Scan on Push feature status for other Amazon ECR image repositories deployed in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

Amazon ECR Scan on Push helps you identify software vulnerabilities within your container images by checking each image against an aggregated set of Common Vulnerabilities and Exposures (CVEs). To configure each Amazon ECR repository to automatically scan your container images for security vulnerabilities when you push them to the repository, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon ECR console at https://console.aws.amazon.com/ecr.

03 In the left navigation panel, under Amazon ECR, select Repositories to access your ECR image repositories.

04 Select the container image repository that you want to reconfigure, and choose Edit.

05 On the Edit repository configuration page, toggle Enabled under Scan on push to enable Scan on Push security feature and have each container image automatically scanned after being pushed to the selected repository. This will apply to future image pushes. Choose Save to apply the configuration changes.

06 Repeat step no. 4 and 5 to enable Scan on Push feature for other Amazon ECR image repositories available within the current AWS cloud region.

07 Change the AWS region from the navigation bar to repeat the remediation process for other regions.

Using AWS CLI

01 Run put-image-scanning-configuration command (OSX/Linux/UNIX) using the name of the Amazon ECR image repository that you want to reconfigure as identifier parameter, to update the image scanning settings of the selected ECR repository in order have each container image automatically scanned for vulnerabilities after being pushed to the repository: 

aws ecr put-image-scanning-configuration
	--region us-east-1
	--repository-name cc-docker-web-repo
	--image-scanning-configuration scanOnPush=true

02 The output should return the put-image-scanning-configuration command request metadata: 

{
    "repositoryName": "cc-docker-web-repo",
    "registryId": "123456789012",
    "imageScanningConfiguration": {
        "scanOnPush": true
    }
}

03 Repeat step no. 1 and 2 to enable Scan on Push security feature for other Amazon ECR image repositories deployed in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the entire remediation process for other regions.

References

  • Clair Documentation
  • Clair
Publication date Oct 28, 2020

Related ECR rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Scan on Push for ECR Container Images

Risk Level: Medium