Container scanning updates in HAQM ECR private registries using HAQM Inspector

We announced a new HAQM Inspector last week at re:Invent 2021 with improved vulnerability management for cloud workloads. HAQM Inspector is a service used by organizations of all sizes to automate security assessment and management at scale. For HAQM Elastic Container Registry (HAQM ECR) private registry customers, this announcement brings updates, enhancements, and integrations to the native container image scanning feature we released in October 2019. This post walks you through these updates and the new container scanning alternatives for HAQM ECR private registry customers.

Introduction

Scanning container images for vulnerabilities is an important security control within the cloud-native supply chain to help secure the container workloads. HAQM ECR image scanning for private registry now offers two scanning options: enhanced scanning and basic scanning. Both alternatives provide static scanning of container images. Static scanning enables you to scan operating system (OS) packages in container images for Common Vulnerabilities and Exposures (CVE), a public list of known security threats, without the need to set up your own scanning infrastructure or purchase third-party scanning licenses.

With enhanced scanning, HAQM ECR integrates with HAQM Inspector to provide automated, nearly continuous scanning of your repositories. Enhanced scanning with HAQM Inspector scans the supported operating systems and also supports scanning supported popular programming languages like Python, Java, C#, Golang among others listed in the documentation. With basic scanning, you configure your repositories to scan on push or you can perform manual scans and HAQM ECR provides a list of scan findings. We explore these feature updates and configurations in this blog further.

Registry-level configuration for image scanning

The repository-level scan-on-push feature available for HAQM ECR private registries has now been deprecated in favor of registry-level scan configurations. While basic scanning is provided by default for your private registry, enhanced scanning can be enabled for your registry to provide automated, continuous scanning to find vulnerabilities in your container images. For existing HAQM ECR private registry customers already using the scan-on-push feature, basic scanning is now enabled by default within HAQM ECR.

Customers can either use the HAQM ECR console or AWS CLI to enable basic or enhanced scanning for your private registry. Using the HAQM ECR console, customers can select the scan type by navigating to Private registry and then Scanning configuration.

Screenshot of Scanning configuration in HAQM ECR console

The following example enables enhanced scanning using AWS CLI for your private registry and specifies a scan filter. By default, when no rules are specified, HAQM ECR sets the scanning configuration to continuous scanning for all repositories.

aws ecr put-registry-scanning-configuration \
--scan-type ENHANCED \
--rules '[{"repositoryFilters" : [{"filter":"prod","filterType" : "WILDCARD"}],"scanFrequency" : "CONTINUOUS_SCAN"}]' \
--region us-west-2

Enhanced scanning

HAQM ECR enhanced scanning is an integration with HAQM Inspector that performs vulnerability scanning for your container images. Your container images are scanned for both operating systems and programing language package vulnerabilities. You can view the scan findings with both HAQM ECR and with HAQM Inspector directly.

With enhanced scanning, you can choose which repositories are configured for automatic, continuous scanning and which are configured for scan on push. This is done by setting scan filters as we demonstrated earlier using the AWS CLI command. When your private registry has enhanced scanning enabled, all repositories matching the scan filters are scanned using enhanced scanning only. Any repositories that don’t match a filter will have a manual scan frequency, but won’t be scanned. Hence, repositories without prod in the above example will have a manual scan frequency using the start-image-scan CLI command.

Let’s look at enhanced scanning in action using the AWS CLI example we used earlier in the blog. We enabled scan-type ENHANCED for the HAQM ECR private registry with filters set for prod repositories with continuous scanning enabled. Automated re-scans are triggered for container images based on whether you use the continual or on-push option in your enhanced scanning settings. Whenever HAQM Inspector adds a new CVE to its database, all eligible container images in your configured HAQM ECR repositories are scanned in response.

First, let’s create two repositories in the private registry to store sample images for production and test purposes.

aws ecr create-repository —repository-name scanrepo-prod
aws ecr create-repository —repository-name scanrepo-test

Next, let’s pull a sample vulnerable image (used here for demonstration purposes only), tag the image, and push it to the production repository we created. Replace the sample AWS account number below with your AWS account number.

In this example, we demonstrate how enhanced scanning identifies the recent Apache Log4j2 vulnerability (CVE-2021-44228) in an HAQM ECR public image.

docker pull public.ecr.aws/docker/library/neo4j:4.4.0
docker tag public.ecr.aws/docker/library/neo4j:4.4.0 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-prod
docker tag public.ecr.aws/docker/library/neo4j:4.4.0 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-test
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-prod
docker push 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-prod
docker push 111122223333.dkr.ecr.us-west-2.amazonaws.com/scanrepo-test

Since we have the continuous scans enabled for prod repositories within the private registry, we can see in the following screenshot that the HAQM ECR console displays the findings from HAQM Inspector for the image.

Screenshot of HAQM ECR console displaying findings from HAQM Inspector

The ECR console allows to dive deep into vulnerabilities and organizing the findings from the scans through the HAQM Inspector console as shown below.

Screenshot of HAQM Inspector console findings by vulnerability

Customers can also review the enhanced scan findings by container image, by each layer and by repository among other available reporting views as shown below.

Screenshot of HAQM Inspector console findings by repository

HAQM ECR and HAQM Inspector can also share data with other AWS services like AWS SecurityHub and HAQM EventBridge (formerly called CloudWatch Events). The screenshot below demonstrates the scan findings available within AWS Security Hub. For more information on EventBridge, see HAQM ECR events and EventBridge.

Screenshot of Security Hub console scan findings

Due to the filter set on prod repositories, the test repository has manual scans enabled, and hence the console shows the Vulnerabilities status as Scanning off.

Screenshot of HAQM ECR console vulnerabilities status set to Scanning off

Customers can build automation and optimization strategies using these enhanced scanning features based on the risk and security baseline of their applications.

Basic scanning

With basic scanning enabled on your private registry, you can configure repository filters to specify which repositories are set to scan on push, or you can perform manual scans using the start-image-scan CLI command. HAQM ECR provides a list of scan findings. Each container image may be scanned once per 24 hours.

HAQM ECR uses the CVE database from the open-source Clair project and provides a list of scan findings. You can review the scan findings for information about the security of the container images that are being deployed. For more information about Clair, see Clair on GitHub. HAQM ECR sends an event to HAQM EventBridge (formerly called CloudWatch Events) when an image scan is completed.

Further configuration information for basic scanning can be found in the documentation.

Coverage and pricing

Now that you have an idea of the new scanning alternatives available for HAQM ECR, let’s address the questions of coverage and costs. At the moment, HAQM ECR provides CVE scanning for OS packages for most common Linux distributions, including Debian, Ubuntu, and HAQM Linux. Please refer to the supported OS and programming languages documentation for an up-to-date listing.

Basic scanning is available with no additional charge to HAQM ECR customers. Each container image may be scanned once per 24 hours with basic scanning. This limit includes the initial scan on push, if enabled, and any manual scans.

Enhanced scanning is provided and billed through HAQM Inspector. All accounts new to HAQM Inspector are eligible for a 15-day trial to evaluate the service and estimate its cost. During the trial, all eligible container images pushed to HAQM ECR are continually scanned at no cost.

Pricing for enhanced scanning has two tiers. The cost for container images scanned initially on-push to HAQM ECR is $0.09 per image scan. Each re-scan for container image in HAQM ECR configured for continuous scanning is $0.01 per image re-scan. Whenever HAQM Inspector adds a new CVE to its database, all eligible containers images in your configured HAQM ECR repositories are automatically re-scanned.

Conclusion

We’re excited to launch this important security feature for HAQM ECR private registry customers today and hope you benefit from it to improve the security posture of your containerized applications. We’d like to learn from you how we can improve the image scanning features via the container roadmap. Please provide us with feedback on what other related functionality you would consider useful.

You can find more information on the feature using the following resources.

New HAQM Inspector launch blog
HAQM Inspector What’s New blog
HAQM ECR Image scanning official documentation
HAQM Inspector container image scanning official documentation

Containers