Profile Applicability:
 • Level 1

Description:
 Scan images being deployed to Amazon EKS for vulnerabilities using Amazon ECR's built-in scanning functionality or a third-party image scanning provider.

Rationale:
 Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to cloud resources. Amazon ECR and other third-party providers allow images to be scanned for known vulnerabilities, providing a proactive defense against security risks.

Impact:
 Pros:

  • Enhanced security by identifying and mitigating vulnerabilities in container images before deployment.

  • Reduces risk of deploying compromised or vulnerable images into production.

Cons:

  • Scanning may result in delays in deployment, particularly with large images or when scanning a large number of images.

  • Unsupported images (e.g., Docker scratch images) will not be scanned.

Common image scan failures:

  • UnsupportedImageError: Occurs when scanning images built with unsupported operating systems.

  • UNDEFINED severity level: Can occur if the vulnerability is not assigned a recognized priority.

Default Value:
 By default, images are not scanned.

Pre-requisites:

  • Access to Amazon ECR or a third-party image scanning provider.

  • Proper IAM permissions to configure scanning settings in ECR.

Remediation

Test Plan:

Using AWS CLI:

  1. To create a repository with image scanning enabled on push:

aws ecr create-repository --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE

  1. To edit an existing repository’s settings to enable scanning on push:

aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE

Using AWS Console:

  1. Open the Amazon ECR console at ECR Console.

  2. Choose the region where you want to create or configure the repository.

  3. Select the repository containing the image to scan.

  4. On the Images page, select the image to scan and click Scan.

Implementation Plan

Using AWS CLI:

  1. Create a repository with scanning on push enabled using the command provided in the remediation section.

  2. Edit the scanning configuration of an existing repository to enable image scanning on push.

Using AWS Console:

  1. Create a repository with image scanning on push enabled through the Amazon ECR Console.

  2. Alternatively, manually trigger image scanning for existing images via the Console.

Backout Plan

Using AWS CLI:

  1. To disable image scanning on push, use the following command:

aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=false --region $REGION_CODE

  1. If necessary, delete the repository or restore previous configurations.

Using AWS Console:

  1. Navigate to the ECR Console and modify the image scanning settings.

  2. Revert to previous configurations if required.

References:

  1. Amazon ECR Image Scanning Documentation