Description:

Amazon Elastic Container Registry (Amazon ECR) is an AWS-managed container image registry service that is secure, scalable, and reliable. Amazon ECR is an extension to Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). You can manually scan container images stored in Amazon ECR. Alternatively, you can configure your repositories to scan images when you push them to a repository.


Rationale:

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images, and we will be notified about the vulnerabilities once the scanning finishes.


Impact:

Each container image may be scanned once per 24 hours. If scan on push is disabled on a repository, then you must manually start each image scan to get the scan results. When a new repository is configured to scan on push, all new images pushed to the repository will be scanned.


Default Value:

You can manually scan container images stored in Amazon ECR. Or you can configure your repositories to scan images when you push them to a repository.

By Default “Scan on Push” is Disabled.


Pre-requisites:

  • Private/Public Repository
    An Amazon ECR image repository contains your Docker images, Open Container Initiative (OCI) images, and OCI-compatible artifacts. A public repository is open to publicly pull images from and is visible on the Amazon ECR Public Gallery.


Remediation:

Test Plan:


Using AWS Console: 

  1. Sign in to the Amazon Management Console

  2. Go to the Amazon ECR Console at  https://console.aws.amazon.com/ecr

  3. In the left menu, select Repositories in Amazon ECR

  4. Select the repository that you want to check whether scan on push is enabled or not from the scan on push column

  5. If it is disabled follow the implementation steps to enable it. 

Using AWS CLI:

1. Command to list the names of all Amazon ECR image repositories created in the selected AWS region: 

aws ecr describe-repositories
--region <region-name>
--output table
--query "repositories[*].repositoryName"

The output should return table with all the Repository Names that are present in the region.


2. To describe the status of the Scan on Push security feature for the selected repository: 

aws ecr describe-repositories
  --region us-east-1
  --repository-names <repositorie-name>
  --query "repositories[*].imageScanningConfiguration.scanOnPush"

The output should return true or false according to the status.
True means Scan on Push is enabled.
False means Scan on Push is disabled. 


Implementation steps:

Using AWS Console: 


  1. Sign in to the Amazon Management Console

  2. Go to the Amazon ECR Console at  https://console.aws.amazon.com/ecr

  3. In the left menu, select Repositories in Amazon ECR

  4. Select the Repository you want to modify and click on Edit 

  5. Now select the Enable option to enable scan on push, This will enable the Scan on Push security feature and have each container image automatically scanned after being pushed to the selected repository. This will apply to future image pushes 

  6. Click on Save to apply the configuration changes.



Using AWS CLI:

The following put-image-scanning-configuration example updates the image scanning configuration for the specified repository.

aws ecr put-image-scanning-configuration \
    --repository-name <repo-name> \
    --image-scanning-configuration scanOnPush=true


Backout plan:

If you want to undo the changes, i.e. if you want to disable the scan on push, then follow these steps: 

Using AWS Console: 

  1. Sign in to the Amazon Management Console

  2. Go to the Amazon ECR Console at  https://console.aws.amazon.com/ecr

  3. In the left menu, select Repositories in Amazon ECR

  4. Select the Repository you want to modify and click on Edit

  5. Now select the Disable option to disable scan on push.


Using AWS CLI:
This command will disable the Scan On Push.

aws ecr put-image-scanning-configuration \
    --repository-name <repo-name> \
    --image-scanning-configuration scanOnPush=false

 

Note:

If you are unable to find the status of the scan on the push column, select the setting button on the right side and enable the status.


References:

Image scanning - Amazon ECR

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/put-image-scanning-configuration.html