5.1 Image Registry and Image Scanning
5.1.1 Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Automated)
Recommended Action
To utilize AWS ECR for Image scanning please follow the steps below:
To create a repository configured for scan on push (AWS CLI):
aws ecr create-repository –repository-name $REPO_NAME –image-scanning-configuration scanOnPush=true –region $REGION_CODE
To edit the settings of an existing repository (AWS CLI):
aws ecr put-image-scanning-configuration –repository-name $REPO_NAME –image-scanning-configuration scanOnPush=true –region $REGION_CODE
Use the following steps to start a manual image scan using the AWS Management Console.
- Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
- From the navigation bar, choose the Region to create your repository in.
- In the navigation pane, choose Repositories.
- On the Repositories page, choose the repository that contains the image to scan.
- On the Images page, select the image to scan and then choose Scan.
5.1.2 Minimize user access to Amazon ECR (Manual)
Recommended Action
Before you use IAM to manage access to Amazon ECR, you should understand what IAM features
are available to use with Amazon ECR. To get a high-level view of how Amazon ECR and other
AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.
5.1.3 Minimize cluster access to read-only for Amazon ECR (Manual)
Recommended Action
You can use your Amazon ECR images with Amazon EKS, but you need to satisfy the following prerequisites.
The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your worker nodes must possess
the following IAM policy permissions for Amazon ECR.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ecr:BatchCheckLayerAvailability”,
“ecr:BatchGetImage”,
“ecr:GetDownloadUrlForLayer”,
“ecr:GetAuthorizationToken”
],
“Resource”: “*”
}
]
}
5.1.4 Minimize Container Registries to only those approved (Manual)
Recommended Action
To minimize AWS ECR container registries to only those approved, you can follow these steps:
- Define your approval criteria: Determine the criteria that containers must meet to
be considered approved. This can include factors such as security, compliance,
compatibility, and other requirements.
- Identify all existing ECR registries: Identify all ECR registries that are currently
being used in your organization.
- Evaluate ECR registries against approval criteria: Evaluate each ECR registry
against your approval criteria to determine whether it should be approved or not.
This can be done by reviewing the registry settings and configuration, as well as
conducting security assessments and vulnerability scans.
- Establish policies and procedures: Establish policies and procedures that outline
how ECR registries will be approved, maintained, and monitored. This should
include guidelines for developers to follow when selecting a registry for their
container images.
- Implement access controls: Implement access controls to ensure that only
approved ECR registries are used to store and distribute container images. This
can be done by setting up IAM policies and roles that restrict access to
unapproved registries or create a whitelist of approved registries.
- Monitor and review: Continuously monitor and review the use of ECR registries
to ensure that they continue to meet your approval criteria. This can include