Containers

Container scanning updates in Amazon ECR private registries using Amazon Inspector

We announced a new Amazon Inspector last week at re:Invent 2021 with improved vulnerability management for cloud workloads. Amazon Inspector is a service used by organizations of all sizes to automate security assessment and management at scale. For Amazon Elastic Container Registry (Amazon ECR) private registry customers, this announcement brings updates, enhancements, and integrations to the native container image scanning feature we released in October 2019. This post walks you through these updates and the new container scanning alternatives for Amazon ECR private registry customers.

Introduction

Scanning container images for vulnerabilities is an important security control within the cloud-native supply chain to help secure the container workloads. Amazon ECR image scanning for private registry now offers two scanning options: enhanced scanning and basic scanning. Both alternatives provide static scanning of container images. Static scanning enables you to scan operating system (OS) packages in container images for Common Vulnerabilities and Exposures (CVE), a public list of known security threats, without the need to set up your own scanning infrastructure or purchase third-party scanning licenses.

With enhanced scanning, Amazon ECR integrates with Amazon Inspector to provide automated, nearly continuous scanning of your repositories. Enhanced scanning with Amazon Inspector scans the supported operating systems and also supports scanning supported popular programming languages like Python, Java, C#, Golang among others listed in the documentation. With basic scanning, you configure your repositories to scan on push or you can perform manual scans and Amazon ECR provides a list of scan findings. We explore these feature updates and configurations in this blog further.

Registry-level configuration for image scanning

The repository-level scan-on-push feature available for Amazon ECR private registries has now been deprecated in favor of registry-level scan configurations. While basic scanning is provided by default for your private registry, enhanced scanning can be enabled for your registry to provide automated, continuous scanning to find vulnerabilities in your container images. For existing Amazon ECR private registry customers already using the scan-on-push feature, basic scanning is now enabled by default within Amazon ECR.

Customers can either use the Amazon ECR console or AWS CLI to enable basic or enhanced scanning for your private registry. Using the Amazon ECR console, customers can select the scan type by navigating to Private registry and then Scanning configuration.

Screenshot of Scanning configuration in Amazon ECR console

The following example enables enhanced scanning using AWS CLI for your private registry and specifies a scan filter. By default, when no rules are specified, Amazon ECR sets the scanning configuration to continuous scanning for all repositories.

aws ecr put-registry-scanning-configuration \
--scan-type ENHANCED \
--rules '[{"repositoryFilters" : [{"filter":"prod","filterType" : "WILDCARD"}],"scanFrequency" : "CONTINUOUS_SCAN"}]' \
--region us-west-2

Enhanced scanning 

Amazon ECR enhanced scanning is an integration with Amazon Inspector that performs vulnerability scanning for your container images. Your container images are scanned for both operating systems and programing language package vulnerabilities. You can view the scan findings with both Amazon ECR and with Amazon Inspector directly.

With enhanced scanning, you can choose which repositories are configured for automatic, continuous scanning and which are configured for scan on push. This is done by setting scan filters as we demonstrated earlier using the AWS CLI command. When your private registry has enhanced scanning enabled, all repositories matching the scan filters are scanned using enhanced scanning only. Any repositories that don’t match a filter will have a manual scan frequency, but won’t be scanned. Hence, repositories without prod in the above example will have a manual scan frequency using the start-image-scan CLI command.

Let’s look at enhanced scanning in action using the AWS CLI example we used earlier in the blog. We enabled scan-type ENHANCED for the Amazon ECR private registry with filters set for prod repositories with continuous scanning enabled. Automated re-scans are triggered for container images based on whether you use the continual or on-push option in your enhanced scanning settings. Whenever Amazon Inspector adds a new CVE to its database, all eligible container images in your configured Amazon ECR repositories are scanned in response.

First, let’s create two repositories in the private registry to store sample images for production and test purposes.

aws ecr create-repository —repository-name scanrepo-prod
aws ecr create-repository —repository-name scanrepo-test

Next, let’s pull a sample vulnerable image (used here for demonstration purposes only), tag the image, and push it to the production repository we created. Replace the sample AWS account number below with your AWS account number.

In this example, we demonstrate how enhanced scanning identifies the recent Apache Log4j2 vulnerability (CVE-2021-44228) in an Amazon ECR public image.

docker pull public.ecr.aws/docker/library/neo4j:4.4.0
docker tag public.ecr.aws/docker/library/neo4j:4.4.0 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-prod
docker tag public.ecr.aws/docker/library/neo4j:4.4.0 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-test
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-prod
docker push 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-prod
docker push 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-test

Since we have the continuous scans enabled for prod repositories within the private registry, we can see in the following screenshot that the Amazon ECR console displays the findings from Amazon Inspector for the image.

Screenshot of Amazon ECR console displaying findings from Amazon Inspector

The ECR console allows to dive deep into vulnerabilities and organizing the findings from the scans through the Amazon Inspector console as shown below.

Screenshot of Amazon Inspector console findings by vulnerability

Customers can also review the enhanced scan findings by container image, by each layer and by repository among other available reporting views as shown below.

Screenshot of Amazon Inspector console findings by repository

Amazon ECR and Amazon Inspector can also share data with other AWS services like AWS SecurityHub and Amazon EventBridge  (formerly called CloudWatch Events). The screenshot below demonstrates the scan findings available within AWS Security Hub. For more information on EventBridge, see Amazon ECR events and EventBridge.

Screenshot of Security Hub console scan findings

Due to the filter set on prod repositories, the test repository has manual scans enabled, and hence the console shows the Vulnerabilities status as Scanning off.

Screenshot of Amazon ECR console vulnerabilities status set to Scanning off

Customers can build automation and optimization strategies using these enhanced scanning features based on the risk and security baseline of their applications.

Basic scanning

With basic scanning enabled on your private registry, you can configure repository filters to specify which repositories are set to scan on push, or you can perform manual scans using the start-image-scan CLI command. Amazon ECR provides a list of scan findings. Each container image may be scanned once per 24 hours.

Amazon ECR uses the CVE database from the open-source Clair project and provides a list of scan findings. You can review the scan findings for information about the security of the container images that are being deployed. For more information about Clair, see Clair on GitHub. Amazon ECR sends an event to Amazon EventBridge (formerly called CloudWatch Events) when an image scan is completed.

Further configuration information for basic scanning can be found in the documentation.

Coverage and pricing

Now that you have an idea of the new scanning alternatives available for Amazon ECR, let’s address the questions of coverage and costs. At the moment, Amazon ECR provides CVE scanning for OS packages for most common Linux distributions, including Debian, Ubuntu, and Amazon Linux. Please refer to the supported OS and programming languages documentation for an up-to-date listing.

Basic scanning is available with no additional charge to Amazon ECR customers. Each container image may be scanned once per 24 hours with basic scanning. This limit includes the initial scan on push, if enabled, and any manual scans.

Enhanced scanning is provided and billed through Amazon Inspector. All accounts new to Amazon Inspector are eligible for a 15-day trial to evaluate the service and estimate its cost. During the trial, all eligible container images pushed to Amazon ECR are continually scanned at no cost.

Pricing for enhanced scanning has two tiers. The cost for container images scanned initially on-push to Amazon ECR is $0.09 per image scan. Each re-scan for container image in Amazon ECR configured for continuous scanning is $0.01 per image re-scan. Whenever Amazon Inspector adds a new CVE to its database, all eligible containers images in your configured Amazon ECR repositories are automatically re-scanned.

Conclusion

We’re excited to launch this important security feature for Amazon ECR private registry customers today and hope you benefit from it to improve the security posture of your containerized applications. We’d like to learn from you how we can improve the image scanning features via the container roadmap. Please provide us with feedback on what other related functionality you would consider useful.

You can find more information on the feature using the following resources.