Description: 

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow. 

Rationale: 

Need to Identify any exposed ECR repositories in the environment and make sure repository access is not set to public. Amazon ECR currently supports private images. However, using IAM resource-based permissions, you can configure policies for each repository to allow access to IAM users, roles, or other AWS accounts. 


Impact:

Each container image may be scanned once per 24 hours. If scan on push is disabled on a repository, then you must manually start each image scan to get the scan results. When a new repository is configured to scan on push, all new images pushed to the repository will be scanned.

Default Value:

You can manually scan container images stored in Amazon ECR. Or you can configure your repositories to scan images when you push them to a repository.

Pre-requisites:

  1. Private/Public Repository 

  2. An Amazon ECR image repository contains your Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.

  3.  A public repository is open to publicly pull images from and is visible on the Amazon ECR Public Gallery

Remediation:

Test Plan:

  1. Sign in to the Amazon Management Console

  2. Go to the Amazon ECR Console at  https://console.aws.amazon.com/ecr

  3. In the left menu, select Repositories in Amazon ECR

  4. Select the repository you want to audit

  5. Find the latest image, check whether the vulnerabilities status is active or not  



Using AWS CLI:

  1. The following CLI displays the results of an image, in the repository specified in the account.

    aws ecr describe-images \
    --repository-name cluster-autoscaler \
    --image-ids imageTag=v1.13.6



Implementation steps:

  1. Sign in to the Amazon Management Console

    1. Go to the Amazon ECR Console at  https://console.aws.amazon.com/ecr

    2. In the left menu, select Repositories in Amazon ECR

  2. Select the Repository you want to modify

  3. Find the latest image, in that you will find details in the vulnerabilities column 

  4. By clicking on details you can find the vulnerabilities of the latest version 



Using AWS CLI:

  1. The following CLI displays the complete image details and their vulnerabilities.

    aws ecr describe-image-scan-findings \
    --repository-name sample-repo \
    --image-id imageDigest=sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6



    Backoutplan:

    1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

    2. Use the Region selector in the upper right to specify the Region where you want to disable scans.

    3. In the navigation pane, choose Settings, and then choose Account Management.

    4. Choose the Accounts tab to see the scan status of an account.

    5. Select the check box for the account or accounts for which you want to disable scans.

    6. From the Actions drop-down, select the scan type to disable.


    Using AWS CLI:

    aws inspector2 disable --resource-types ECR


    Reference:

    1. describe-images — AWS CLI 1.23.0 Command Reference 

    2. Image scanning - Amazon ECR 

    3. Scanning Amazon ECR container images with Amazon Inspector - Amazon Inspector