To utilize AWS ECR for Image scanning please follow the steps below:
To create a repository configured for scan on push (AWS CLI): aws ecr create-repository –repository-name $REPO_NAME –image-scanning-configuration scanOnPush=true –region $REGION_CODE
To edit the settings of an existing repository (AWS CLI): aws ecr put-image-scanning-configuration –repository-name $REPO_NAME –image-scanning-configuration scanOnPush=true –region $REGION_CODE
Use the following steps to start a manual image scan using the AWS Management Console. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories. From the navigation bar, choose the Region to create your repository in. In the navigation pane, choose Repositories. On the Repositories page, choose the repository that contains the image to scan. On the Images page, select the image to scan and then choose Scan.
Before you use IAM to manage access to Amazon ECR, you should understand what IAM features are available to use with Amazon ECR. To get a high-level view of how Amazon ECR and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.
You can use your Amazon ECR images with Amazon EKS, but you need to satisfy the following prerequisites.
The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your worker nodes must possess the following IAM policy permissions for Amazon ECR.
{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ecr:BatchCheckLayerAvailability”, “ecr:BatchGetImage”, “ecr:GetDownloadUrlForLayer”, “ecr:GetAuthorizationToken” ], “Resource”: “*” } ] }
No remediation