iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon Elastic Container Registry (ECR) supports vulnerability scanning for container images stored in its repositories. This feature helps identify security vulnerabilities in container images before they are deployed. This SOP ensures that after a new image version is pushed to an ECR repository, the image is scanned for vulnerabilities, and any issues are reviewed.

Rationale:

• Security: Scanning container images for vulnerabilities as they are uploaded to ECR helps identify security risks early, preventing potentially vulnerable images from being deployed in production environments.

• Compliance: Security standards (e.g., SOC 2, HIPAA) often require the scanning of container images for vulnerabilities, ensuring that the deployed containerized applications do not have known security risks.

• Best Practices: Implementing image scanning as part of the container lifecycle helps meet industry standards and reduces the risk of compromising production environments.

Impact:

Pros:

• Improved Security: Vulnerabilities are identified early, allowing teams to remediate them before the image is deployed in production.

• Automated Process: Vulnerability scanning is automated when scan on push is enabled, reducing manual intervention and streamlining security workflows.

• Compliance: Helps meet regulatory requirements for vulnerability management in containerized applications.

Cons:

• Performance: Scanning large container images can increase the time required to push an image to ECR, which could delay deployment.

• Cost: Regular vulnerability scans incur additional costs associated with scanning services.

Default Value:

By default, ECR vulnerability scanning occurs when scan on push is enabled. However, the scan results (including vulnerabilities) are not always automatically reviewed unless prompted by this check.

Pre-requisite:

• AWS IAM Permissions:

  • ecr:DescribeImages

  • ecr:BatchGetImage

  • ecr:DescribeImageScanFindings

• AWS CLI installed and configured.

• ECR Repository where the image is stored.

• Image scanning is enabled in ECR.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon ECR under Services.

3. In the ECR Console, select Repositories.

4. Choose the repository that holds the container image you want to check.

5. Under the Images tab, find the newest image version.

6. Click on the image tag to view detailed information, including the Scan Results section.

   • Review the scan findings and ensure that any vulnerabilities found in the image are noted.

7. If vulnerabilities are found, review the severity and details of each vulnerability and take appropriate action to remediate them.

Using AWS CLI:

1. To check the scan findings for the newest image version, use the following command:
   

   aws ecr describe-images --repository-name <repository-name> --query 'imageDetails[?imageTag==`latest`].imageDigest' --output text

2. Get the image digest from the output above and run:
   

   aws ecr describe-image-scan-findings --repository-name <repository-name> --image-id imageDigest=<image-digest>

3. Review the output for vulnerabilities found in the image scan findings. The output will include a list of vulnerabilities, their severity (e.g., high, medium, low), and associated CVEs.

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console and navigate to Amazon ECR.

2. In the ECR Console, go to Repositories and select the repository where your image is stored.

3. Under the Images tab, locate the newest image version (typically marked as latest).

4. Click on the image tag to view its Scan Results.

5. If vulnerabilities are found:

   • Review the severity of each vulnerability.

   • Take action based on the severity (e.g., fix the vulnerabilities in the image, rebuild the image, or patch the issues).

6. If scan on push was not enabled, enable it in the Repository settings to ensure future images are automatically scanned.

Using AWS CLI:

1. To get the image digest of the latest image, run:
   

   aws ecr describe-images --repository-name <repository-name> --query 'imageDetails[?imageTag==`latest`].imageDigest' --output text

2. Retrieve the scan findings for the latest image by running:
   

   aws ecr describe-image-scan-findings --repository-name <repository-name> --image-id imageDigest=<image-digest>

3. The command will return a list of vulnerabilities, including their CVEs and severity levels. Review the vulnerabilities and take action as necessary.

4. If vulnerabilities are found in the image, address them by patching the image and pushing a new, fixed version to the repository. You can re-scan the image after remediation by manually invoking a scan using:
   

   aws ecr start-image-scan --repository-name <repository-name> --image-id imageDigest=<image-digest>

Backout Plan:

Using AWS Console:

1. If the image scan results indicate critical vulnerabilities that cannot be fixed immediately, sign in to Amazon ECR.

2. You can roll back to a previous, secure image version or create a new version of the image with updated base images or security patches.

3. Verify that the previous or new image version does not have vulnerabilities and is secure.

Using AWS CLI:

1. If the scan findings indicate issues with the newest image, you can pull and use a previously known secure image or rebuild the image with necessary updates:
   

   aws ecr batch-get-image --repository-name <REPOSITORY_NAME> --image-ids imageTag=<PREVIOUS_IMAGE_TAG> --region <REGION>

2. Rebuild or roll back the image to a known secure version and ensure that the vulnerabilities are addressed.

References:

• Amazon ECR Documentation: Image Scanning

• AWS CLI: describe-image-scan-findings

• AWS CLI: describe-images

• AWS CLI: start-image-scan

CIS Controls Mapping: