Profile Applicability:

  • Level 1

Description:

Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry that enables developers to store, manage, and deploy container images. Scan on push is a feature in ECR that automatically scans container images for vulnerabilities upon image upload. This SOP ensures that ECR registries have the scan on push feature enabled, which helps identify security vulnerabilities in container images at the time of upload, reducing the risk of deploying vulnerable containers into production.

Rationale:

  • Security: Scanning images as they are pushed into ECR allows early detection of vulnerabilities, preventing potentially unsafe images from being used in production.

  • Compliance: Many security standards (e.g., SOC 2, HIPAA) require automated scanning of container images to ensure that they do not contain known security vulnerabilities.

  • Best Practices: Enabling scan on push ensures that all container images are proactively scanned for vulnerabilities without the need for manual intervention.

Impact:

Pros:

  • Improved Security: Automatically scans container images for known vulnerabilities, reducing the risk of deploying compromised images.

  • Proactive Vulnerability Management: Identifies vulnerabilities before containers are deployed, providing better control over container security.

  • Compliance: Helps meet compliance requirements for vulnerability management and secure software deployment.

Cons:

  • Performance: Scanning large container images can consume additional time during the image push process, potentially leading to delays.

  • Cost: While minimal, enabling image scanning may incur additional charges for scanning services.

Default Value:

By default, ECR does not have the scan on push feature enabled. This feature must be explicitly configured during registry creation or updated after creation.

Pre-requisite:

  • AWS IAM Permissions:

    • ecr:DescribeRepositories

    • ecr:PutLifecyclePolicy

    • ecr:SetRepositoryPolicy

    • ecr:PutImageScanningConfiguration

  • AWS CLI installed and configured.

  • ECR Registry is created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon ECR under Services.

  3. In the ECR Console, select Repositories.

  4. Choose the repository you want to check for scan on push configuration.

  5. In the Repository details page, under the Scan on Push section, verify if it is enabled.

    • If Scan on Push is enabled, it will show as enabled. Otherwise, it will be disabled.

  6. If Scan on Push is not enabled, follow the Implementation Steps below to enable it.

Using AWS CLI:

  1. To describe the ECR repository and check if scan on push is enabled, run:

    aws ecr describe-repositories --repository-names <repository-name> --query 'repositories[*].imageScanningConfiguration.scanOnPush'

  2. The output should show:

  • true if scan on push is enabled.

  • false if scan on push is disabled.

  1. If scan on push is not enabled, follow the steps in the Implementation Steps to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon ECR.

  2. In the ECR Console, select Repositories and choose the repository you want to configure.

  3. In the Repository details section, click on Edit.

  4. Under the Scan on Push section, select Enable.

  5. Save the changes to enable scan on push.

Using AWS CLI:

  1. To enable scan on push for an ECR repository, run the following command:

    aws ecr put-image-scanning-configuration \
  --repository-name <repository-name> \
  --image-scanning-configuration scanOnPush=true

  1. Verify that scan on push is enabled by running:

    aws ecr describe-repositories --repository-names <repository-name> --query 'repositories[*].imageScanningConfiguration.scanOnPush'

  2. The output should show true to confirm that scan on push is enabled for the repository.

Backout Plan:

Using AWS Console:

  1. If enabling scan on push causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon ECR, select the repository, and click Edit in the Image scanning section.

  3. Disable Scan on push and save the changes.

  4. Ensure that the repository is no longer set to automatically scan images on push.

Using AWS CLI:

  1. To disable scan on push, run the following command:

    aws ecr put-image-scanning-configuration --repository-name <REPOSITORY_NAME> --image-scanning-configuration scanOnPush=false --region <REGION>

  2. Verify that scan on push has been disabled by describing the repository again:

    aws ecr describe-repositories --repository-names <REPOSITORY_

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.