AWS News Blog

HAQM Inspector enhances container security by mapping HAQM ECR images to running containers

Voiced by Polly

When running container workloads, you need to understand how software vulnerabilities create security risks for your resources. Until now, you could identify vulnerabilities in your HAQM Elastic Container Registry (HAQM ECR) images, but couldn’t determine if these images were active in containers or track their usage. With no visibility if these images were being used on running clusters, you had limited ability to prioritize fixes based on actual deployment and usage patterns.

Starting today, HAQM Inspector offers two new features that enhance vulnerability management, giving you a more comprehensive view of your container images. First, HAQM Inspector now maps HAQM ECR images to running containers, enabling security teams to prioritize vulnerabilities based on containers currently running in your environment. With these new capabilities, you can analyze vulnerabilities in your HAQM ECR images and prioritize findings based on whether they are currently running and when they last ran in your container environment. Additionally, you can see the cluster HAQM Resource Name (ARN), number EKS pods or ECS tasks where an image is deployed, helping you prioritize fixes based on usage and severity.

Second, we’re extending vulnerability scanning support to minimal base images including scratch, distroless, and Chainguard images, and extending support for additional ecosystems including Go toolchain, Oracle JDK & JRE, HAQM Corretto, Apache Tomcat, Apache httpd, WordPress (core, themes, plugins), and Puppeteer, helping teams maintain robust security even in highly optimized container environments.

Through continual monitoring and tracking of images running on containers, HAQM Inspector helps teams identify which container images are actively running in their environment and where they’re deployed, detecting HAQM ECR images running on containers in HAQM Elastic Container Service (HAQM ECS) and HAQM Elastic Kubernetes Service (HAQM EKS), and any associated vulnerabilities. This solution supports teams managing HAQM ECR images across single AWS accounts, cross-account scenarios, and AWS Organizations with delegated administrator capabilities, enabling centralized vulnerability management based on container images running patterns.

Let’s see it in action
HAQM ECR image scanning helps identify vulnerabilities in your container images through enhanced scanning, which integrates with HAQM Inspector to provide automated, continual scanning of your repositories. To use this new feature you have to enable enhanced scanning through the HAQM ECR console, you can do it by following the steps in the Configuring enhanced scanning for images in HAQM ECR documentation page. I already have HAQM ECR enhanced scanning, so I don’t have to do any action.

In the HAQM Inspector console, I navigate to General settings and select ECR scanning settings from the navigation panel. Here, I can configure the new Image re-scan mode settings by choosing between Last in-use date and Last pull date. I leave it as it is by default with Last in-use date and set the Image last in use date to 14 days. These settings make it so that Inspector monitors my images based on when they were running in the last 14 days in my HAQM ECS or HAQM EKS environments. After applying these settings, HAQM Inspector starts tracking information about images running on containers and incorporating it into vulnerability findings, helping me focus on images actively running in containers in my environment.

After it’s configured, I can view information about images running on containers in the Details menu, where I can see last in-use and pull dates, along with EKS pods or ECS tasks count.

When selecting the number of Deployed ECS Tasks/EKS Pods, I can see the cluster ARN, last use dates, and Type for each image.

For cross-account visibility demonstration, I have a repository with EKS pods deployed in two accounts. In the Resources coverage menu, I navigate to Container repositories, select my repository name and choose the Image tag. As before, I can see the number of deployed EKS pods/ECS tasks.

When I select the number of deployed EKS pods/ECS tasks, I can see that it is running in a different account.

In the Findings menu, I can review any vulnerabilities, and by selecting one, I can find the Last in use date and Deployed ECS Tasks/EKS Pods involved in the vulnerability under Resource affected data, helping me prioritize remediation based on actual usage.

In the All Findings menu, you can now search for vulnerabilities within account management, using filters such as Account ID, Image in use count and Image last in use at.

Key features and considerations
Monitoring based on container image lifecycle – HAQM Inspector now determines image activity based on: image push date ranging duration 14, 30, 60, 90, or 180 days or lifetime, image pull date from 14, 30, 60, 90, or 180 days, stopped duration from never to 14, 30, 60, 90, or 180 days and status of image running on the container. This flexibility lets organizations tailor their monitoring strategy based on actual container image usage rather than only repository events. For HAQM EKS and HAQM ECS workloads, last in use, push and pull duration are set to 14 days, which is now the default for new customers.

Image runtime-aware finding details – To help prioritize remediation efforts, each finding in HAQM Inspector now includes the lastInUseAt date and InUseCount, indicating when an image was last running on the containers and the number of deployed EKS pods/ ECS tasks currently using it. HAQM Inspector monitors both HAQM ECR last pull date data and images running on HAQM ECS tasks or HAQM EKS pods container data for all accounts, updating this information at least once daily. HAQM Inspector integrates these details into all findings reports and seamlessly works with HAQM EventBridge. You can filter findings based on the lastInUseAt field using rolling window or fixed range options, and you can filter images based on their last running date within the last 14, 30, 60, or 90 days.

Comprehensive security coverage – HAQM Inspector now provides unified vulnerability assessments for both traditional Linux distributions and minimal base images including scratch, distroless, and Chainguard images through a single service. This extended coverage eliminates the need for multiple scanning solutions while maintaining robust security practices across your entire container ecosystem, from traditional distributions to highly optimized container environments. The service streamlines security operations by providing comprehensive vulnerability management through a centralized platform, enabling efficient assessment of all container types.

Enhanced cross-account visibility – Security management across single accounts, cross-account setups, and AWS Organizations is now supported through delegated administrator capabilities. HAQM Inspector shares images running on container information within the same organization, which is particularly valuable for accounts maintaining golden image repositories. HAQM Inspector provides all ARNs for HAQM EKS and HAQM ECS clusters where images are running, if the resource belongs to the account with an API, providing comprehensive visibility across multiple AWS accounts. The system updates deployed EKS pods or ECS tasks information at least one time daily and automatically maintains accuracy as accounts join or leave the organization.

Availability and pricing – The new container mapping capabilities are available now in all AWS Regions where HAQM Inspector is offered at no additional cost. To get started, visit the HAQM Inspector documentation. For pricing details and Regional availability, refer to the HAQM Inspector pricing page.

PS: Writing a blog post at AWS is always a team effort, even when you see only one name under the post title. In this case, I want to thank Nirali Desai, for her generous help with technical guidance, and expertise, which made this overview possible and comprehensive.

— Eli

How is the News Blog doing? Take this 1 minute survey!

(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)

Elizabeth Fuentes

Elizabeth Fuentes

My mission is to break down complex concepts into easily digestible explanations, inspiring developers to continually expand their skills and knowledge. Through conferences, tutorials, and online resources, I share my expertise with the global developer community, providing them with the tools and confidence to reach their full potential. With a hands-on approach and a commitment to simplifying the complex, I strive to be a catalyst for growth and learning in the world of AWS technology.