Rule for ECR Private Repositories Image Scanning Configuration
This rule specifies that ECR private repositories must have image scanning configured for security purposes.
| Rule | ECR private repositories should have image scanning configured |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Description:
ECR (Amazon Elastic Container Registry) private repositories should have image scanning configured to adhere to the AWS Foundational Security Best Practices. Image scanning is a security feature that allows you to identify potential vulnerabilities and security risks in the container images stored in your ECR repositories. By enabling image scanning, you can proactively catch and address security issues before deploying containerized applications.
Troubleshooting steps:
If you encounter any issues while configuring image scanning for your ECR private repositories, you can follow these troubleshooting steps:
- 1.
Verify repository permissions: Ensure that the IAM role or user you are using has sufficient privileges to enable image scanning for the ECR repository.
- 2.
Check ECR availability: Confirm that the AWS region where your ECR repository exists supports image scanning. Not all regions may have this feature available.
- 3.
Confirm repository existence: Validate that the ECR repository you are configuring actually exists. Check for any typos or incorrect repository names.
- 4.
Review scanning status: If image scanning fails or doesn't seem to work as expected, check the scanning status of the repository. Monitor the AWS CloudWatch logs or ECR API responses for any error messages related to image scanning.
- 5.
Verify image compatibility: Ensure that the container images stored in the ECR repository are compatible with the image scanning process. Some older image formats may not be supported, so it's important to use compatible images.
Necessary Codes:
To enable image scanning for an ECR private repository, you can use the AWS Command Line Interface (CLI) with the following code:
aws ecr put-image-scanning-configuration --repository-name <repository-name> --image-scanning-configuration scanOnPush=true
Make sure to replace
<repository-name>Step-by-Step Guide for remediation:
To configure image scanning for an ECR private repository, follow these steps:
- 1.
Open a command-line interface or terminal and ensure that you have the AWS CLI installed. If not, install it according to the AWS CLI documentation.
- 2.
Authenticate with AWS using the AWS CLI by running the following command and following the prompts:
aws configure
- 1.To enable image scanning for an ECR private repository, run the following command:
aws ecr put-image-scanning-configuration --repository-name <repository-name> --image-scanning-configuration scanOnPush=true
Replace
<repository-name>- 1.
Once the command executes successfully, image scanning will be enabled for the specified repository.
- 2.
To confirm that image scanning is enabled, you can run the following command:
aws ecr describe-repositories --repository-names <repository-name>
Replace
<repository-name>imageScanningConfiguration.scanOnPush- 1.Repeat the above steps for any additional ECR private repositories that you want to enable image scanning for.
By following these steps, you can configure image scanning for ECR private repositories and enhance the security of your containerized applications.