Profile Applicability:
Level 1

Description:
This control ensures that Amazon Elastic Container Registry (ECR) repositories have image scanning on push enabled. When this feature is active, every container image pushed to the repository is automatically scanned for known vulnerabilities in the packages and dependencies it contains. The scan results help developers and security teams identify and remediate potential threats early in the software delivery process.

Rationale:
Container images often include operating system libraries, open-source dependencies, and third-party packages that may contain known vulnerabilities. Enabling image scanning on push ensures that these vulnerabilities are detected before deployment, reducing the risk of introducing exploitable software components into production environments. This proactive measure supports compliance and continuous security monitoring as part of a secure DevSecOps pipeline.

Impact:
Positive Impact:

  • Detects vulnerabilities at the earliest possible stage.

  • Strengthens the security posture of containerized applications.

  • Helps maintain compliance with standards like SOC 2, ISO 27001, and CIS.
    Negative Impact:

  • May slightly increase image push time.

  • Additional cost may apply if using enhanced scanning features (e.g., Amazon Inspector).

Default Value:
By default, ECR image scanning on push is disabled. It must be manually enabled for each repository.

Pre-Requisite:

  • IAM permissions required: ecr:DescribeRepositories, ecr:PutImageScanningConfiguration, and ecr:GetRepositoryPolicy.

  • ECR repositories must exist in the account.

Test Plan (Using AWS Console):

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon ECR → Repositories.

  3. Select a repository.

  4. Under the Configuration tab, find the Image scanning section.

  5. Verify that Scan on push is set to Enabled.

  6. If it is Disabled, this repository is non-compliant.

Implementation Plan (Using AWS Console):

  1. Navigate to Amazon ECR → Repositories.

  2. Select the target repository.

  3. Under the Configuration tab, click Edit.

  4. In the Image scanning section, enable the checkbox for Scan on push.

  5. Save the configuration changes.

  6. For enhanced security, optionally integrate with Amazon Inspector for continuous and deeper vulnerability assessments.

  7. Verify by pushing a new image — scanning should automatically initiate upon image upload.

Backout Plan:

  1. If enabling image scanning causes performance issues or conflicts with custom CI/CD processes, revert by:

    • Navigating to Amazon ECR → Repositories → [Repository Name] → Configuration → Edit.

    • Uncheck Scan on push and save the changes.

  2. Ensure that periodic or manual image scans are still performed to maintain compliance.

References: