Profile Applicability:
 • Level 1

Description:
Ensure that container images deployed to Amazon EKS are scanned for vulnerabilities using Amazon ECR image scanning or a third-party provider. Regular scanning helps identify and mitigate security risks associated with vulnerabilities in the software packages used by the images. 

Rationale:
 Vulnerabilities in container images can be exploited by attackers to gain unauthorized access to cloud resources. Using image scanning tools like Amazon ECR image scanning or third-party providers ensures that images are checked for known vulnerabilities before deployment, enhancing the overall security of the Kubernetes environment. 

Impact:
 Pros:

  • Prevents unauthorized access and manipulation of container images.

  • Reduces the risk of malicious code injection or the accidental deployment of insecure images.

Cons:

  • Requires careful management of IAM policies to avoid accidentally denying necessary access for legitimate users.

Remediation

Test Plan:

Using AWS Console:

  1. Go to Amazon ECR in the AWS Console.
  2. Verify that image scanning is enabled for each repository under Image Scanning Configuration.

Using AWS CLI:

  1. Run the following command to check if image scanning is enabled for a repository:

    aws ecr describe-repositories --repository-names <REPO_NAME> --region <REGION_CODE>

        2. Ensure that scanOnPush is set to true.

Implementation Plan

Using AWS Console:

  1. Open the Amazon ECR Console and navigate to Repositories.

  2. Select the repository and enable image scanning for new images by clicking Edit and ensuring Scan on Push is enabled.

Using AWS CLI:

  1. To enable image scanning, run:

    aws ecr put-image-scanning-configuration --repository-name <REPO_NAME> --image-scanning-configuration scanOnPush=true --region <REGION_CODE>

  2. Apply to all relevant repositories that store container images.

Backout Plan

Using AWS Console:

  1. Revert to previous IAM policies if a mistake is made.

  2. Ensure only the correct policies are reattached to users and service accounts.

Using AWS CLI:

  1. Use the command to remove any incorrect or overly permissive IAM policies.

 aws iam delete-policy

  1. Attach the correct, least-privilege policies to the appropriate users.

References:

  1. Amazon ECR Image Scanning Documentation

  2. AWS IAM User Guide