How to scan images in ECR container registry using AWS inspector?

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

Today we will discuss how to setup image scanning on push in ECR container registry with AWS inspector service using AWS CLI and review the findings report.

What is Elastic Container Registry (ECR)?

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM. This is so that specified users or Amazon EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.

What is image scanning in ECR?

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. The following scanning types are offered.

Enhanced scanning: Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programing language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.

Basic scanning: Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project. With basic scanning, you configure your repositories to scan on push or you can perform manual scans and Amazon ECR provides a list of scan findings.

What is image scanning filters in ECR?

When an image scanning type is configured, you may specify that all repositories be scanned or you can specify filters to scope which repositories are scanned. Image scan filters are supported for both the basic and enhanced scanning types.

When a filter is specified, a filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name.

What is Amazon Inspector?

Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.

When a software vulnerability or network issue is discovered, Amazon Inspector creates a finding. A finding describes the vulnerability, identifies the affected resource, rates the severity of the vulnerability, and provides remediation guidance. Details of a findings for your account can be analyzed in multiple ways using the Amazon Inspector console, or you can view and process your findings through other AWS services.

How to scan images in ECR container registry using AWS inspector?

Prerequisites:

AWS CLI and Docker installed and configured.

You can use below link to install and configure AWS CLI and Docker.

https://cloudaffaire.com/how-to-install-aws-cli/

https://cloudaffaire.com/how-to-configure-aws-cli/

https://cloudaffaire.com/how-to-install-docker-in-aws-ec2-instance/

Step 1: Create a new private container image repository in ECR

## Create a private repository in ECR<br>aws ecr create-repository \<br>--repository-name my_private_repo \<br>--image-tag-mutability MUTABLE \<br>--image-scanning-configuration scanOnPush=false

1	## Create a private repository in ECR aws ecr create-repository \ --repository-name my_private_repo \ --image-tag-mutability MUTABLE \ --image-scanning-configuration scanOnPush=false

Observe: We have disabled image scanning on the repository level. Instead, we will setup image scanning on ECR registry level and scan images pushed to this private repository using filters.

Step 2: Configure image scanning on push in ECR registry using filters.

## Configure image scanning on push with filters<br>aws ecr put-registry-scanning-configuration \<br>--scan-type ENHANCED \<br>--rules '[{"repositoryFilters" : [{"filter":"my_private_repo","filterType" : "WILDCARD"}],"scanFrequency" : "SCAN_ON_PUSH"}]'

1	## Configure image scanning on push with filters aws ecr put-registry-scanning-configuration \ --scan-type ENHANCED \ --rules '[{"repositoryFilters" : [{"filter":"my_private_repo","filterType" : "WILDCARD"}],"scanFrequency" : "SCAN_ON_PUSH"}]'

Note: An image in ECR registry can be scanned manually, on push or on continuous basis.

Step 3: Get image scanning configuration details in ECR

## Get ecr registry scanning details (CLI version 2)<br>aws ecr get-registry-scanning-configuration<br><br>## Get ecr registry details<br>aws ecr describe-registry<br><br>## Get ecr repository details<br>aws ecr describe-repositories

1	## Get ecr registry scanning details (CLI version 2) aws ecr get-registry-scanning-configuration ## Get ecr registry details aws ecr describe-registry ## Get ecr repository details aws ecr describe-repositories

You can also view the image scanning configuration in AWS console under ECR service “scanning”.

How to scan images in ECR container registry using AWS inspector?

Next, we will create a docker image and push the image to our private ECR repository. This will trigger the image scanning using Amazon inspector.

Step 4: Create a new docker image and push the image to your private ECR repository.

## Create a Dockerfile<br>cat << EOF > Dockerfile<br>FROM ubuntu:18.04<br><br># Install dependencies<br>RUN apt-get update && \<br> apt-get -y install apache2<br><br># Install apache and write hello world message<br>RUN echo 'Hello World!' > /var/www/html/index.html<br><br># Configure apache<br>RUN echo '. /etc/apache2/envvars' > /root/run_apache.sh && \<br> echo 'mkdir -p /var/run/apache2' >> /root/run_apache.sh && \<br> echo 'mkdir -p /var/lock/apache2' >> /root/run_apache.sh && \<br> echo '/usr/sbin/apache2 -D FOREGROUND' >> /root/run_apache.sh && \<br> chmod 755 /root/run_apache.sh<br><br>EXPOSE 80
<br>CMD /root/run_apache.sh<br>EOF<br><br>## Create a docker image<br>docker build -t myimage .<br><br>## Check if the docker image was created successfully<br>docker images --filter reference=myimage<br><br>## Authenticate yourself to the AWS ECR registry<br>REGION='ap-south-1' &&<br>AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) &&<br>aws ecr get-login-password \<br>--region $REGION | docker login --username AWS \<br>--password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com<br><br>## TAG you docker image form ECR private repository<br>docker tag myimage:latest $AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/my_private_repo:latest<br><br>## PUSH a docker image from a private ECR repository<br>docker push $AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/my_private_repo:latest

## Create a Dockerfile
cat << EOF > Dockerfile
FROM ubuntu:18.04

# Install dependencies
RUN apt-get update && \
apt-get -y install apache2

# Install apache and write hello world message
RUN echo 'Hello World!' > /var/www/html/index.html

# Configure apache
RUN echo '. /etc/apache2/envvars' > /root/run_apache.sh && \
echo 'mkdir -p /var/run/apache2' >> /root/run_apache.sh && \
echo 'mkdir -p /var/lock/apache2' >> /root/run_apache.sh && \
echo '/usr/sbin/apache2 -D FOREGROUND' >> /root/run_apache.sh && \
chmod 755 /root/run_apache.sh

EXPOSE 80

CMD /root/run_apache.sh
EOF

## Create a docker image
docker build -t myimage .

## Check if the docker image was created successfully
docker images --filter reference=myimage

## Authenticate yourself to the AWS ECR registry
REGION='ap-south-1' &&
AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) &&
aws ecr get-login-password \
--region $REGION | docker login --username AWS \
--password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com

## TAG you docker image form ECR private repository
docker tag myimage:latest $AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/my_private_repo:latest

## PUSH a docker image from a private ECR repository
docker push $AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/my_private_repo:latest

Step 5: Get the image scanning findings:

## Get image scanning findings<br>aws ecr describe-image-scan-findings \<br>--repository-name my_private_repo \<br>--image-id imageTag=latest

1	## Get image scanning findings aws ecr describe-image-scan-findings \ --repository-name my_private_repo \ --image-id imageTag=latest

You can also view the findings in AWS console under ECR and Inspector service.

In ECR console:

How to scan images in ECR container registry using AWS inspector?

In Inspector console:

How to scan images in ECR container registry using AWS inspector?

Note: Using this finding, you can fix all the security vulnerabilities present in your image

Step 6: Clean up

## Delete the image<br>aws ecr batch-delete-image \<br>--repository-name my_private_repo \<br>--image-ids imageTag=latest<br><br>## Delete the private repository<br>aws ecr delete-repository \<br>--repository-name my_private_repo \<br>--force<br><br>## Configure image scanning back to basic (default)<br>aws ecr put-registry-scanning-configuration \<br>--scan-type BASIC \<br>--rules '[]'

## Delete the image
aws ecr batch-delete-image \
--repository-name my_private_repo \
--image-ids imageTag=latest

## Delete the private repository
aws ecr delete-repository \
--repository-name my_private_repo \
--force

## Configure image scanning back to basic (default)
aws ecr put-registry-scanning-configuration \
--scan-type BASIC \
--rules '[]'

Hope you have enjoyed this article, to get more details on AWS ECR and Amazon Inspector, please follow below link.

https://docs.aws.amazon.com/ecr/index.html

https://docs.aws.amazon.com/inspector/index.html