Profile Applicability:
• Level 2

Description:
Amazon Elastic Container Registry (ECR) image scanning identifies security vulnerabilities in container images by scanning the latest image versions stored in the registry. This process ensures that newly pushed images are automatically scanned, and any vulnerabilities found are reported so they can be remediated before deployment.

Rationale:
Ensuring that ECR scans the newest image version helps prevent vulnerable container images from being deployed in production. Timely detection of vulnerabilities reduces the attack surface and potential exploit risks within containerized environments.

Impact:
Pros:

  • Detects vulnerabilities in the most recent image versions automatically

  • Supports proactive security in CI/CD pipelines

  • Enables compliance with security policies by maintaining secure images

Cons:

  • Requires configuration of scan triggers and notification mechanisms

  • Potential delays if scans take long or images are large

Default Value:
By default, ECR does not automatically scan every newly pushed image; scans must be enabled and configured.

Pre-requisites:

  • ECR repository with image scanning enabled

  • IAM permissions for ECR scanning and reporting

  • Integration with CI/CD pipeline or monitoring tools

Remediation:

  • Enable image scanning on push for the ECR repository.

  • Configure Amazon EventBridge or AWS Lambda to respond to scan findings.

  • Regularly review scan reports and remediate vulnerabilities promptly.

Test Plan:
Using AWS Console:

  • Navigate to ECR → Repositories → Select repository → Check if "Scan on push" is enabled.

  • Push a new image version to the repository.

  • Confirm that the image scan is initiated and vulnerabilities are reported under the "Image scan findings" tab.

Using AWS CLI:

  • Enable scan on push:

    aws ecr put-image-scanning-configuration --repository-name <repo-name> --image-scanning-configuration scanOnPush=true

  • List images and check scan status:

    aws ecr describe-image-scan-findings --repository-name <repo-name> --image-id imageTag=<tag>


Implementation Plan:

  • Enable scan on push setting for all ECR repositories.

  • Automate image scans during CI/CD processes.

  • Integrate scan findings alerts with security dashboards or notification services.

Backout Plan:

  • Disable scan on push if performance issues arise, but continue manual or scheduled scans.

  • Revert repository settings using AWS Console or CLI.

References:

  • AWS ECR Image Scanning Documentation

  • CIS Benchmarks for Container Security