Profile applicability: Level 2 - Cluster / Control Plane
Scan images deployed to Amazon EKS for vulnerabilities to mitigate the risk of exploitation
by
hackers or malicious users who might leverage software package vulnerabilities to
gain
unauthorized access to local cloud resources. Amazon Elastic Container Registry (ECR)
and other
third-party products offer functionality to scan images for known vulnerabilities.
In the case
of using AWS ECR, certain common image scan failures can occur. For instance, an
UnsupportedImageError may arise if the image was built using an unsupported operating
system, as
Amazon ECR supports package vulnerability scanning only for major versions of specific
Linux
distributions such as Amazon Linux, Debian, Ubuntu, CentOS, Oracle Linux, Alpine,
and RHEL.
Additionally, scan findings might return a severity level of UNDEFINED if the CVE
source has not
assigned a priority or if it's a priority Amazon ECR does not recognize. To accurately
assess
the severity and details of a vulnerability, the CVE can be viewed directly from the
source.
Impact
If you are utilizing AWS ECR, common image scan failures can occur. Errors can be
viewed in the Amazon ECR console, or through the API or AWS CLI using the DescribeImageScanFindings
API.
UnsupportedImageError: This error may appear when attempting to scan an image built
on an unsupported operating system. Amazon ECR supports vulnerability scanning for
major versions of Amazon Linux, Debian, Ubuntu, and other distributions but not for
images built from the Docker scratch image.
Undefined severity level: This may occur when the vulnerability is not prioritized
by the CVE source or recognized by Amazon ECR.
Audit
Please follow the guidelines from AWS ECR or your third-party provider for enabling
image scanning.
aws ecr describe-repositories --repository-names $REPO_NAME --region $REGION_CODE
Remediation
To utilize AWS ECR for image scanning, follow these steps:
Create a repository configured for scan on push (AWS CLI):
aws ecr create-repository --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
Edit the settings of an existing repository (AWS CLI):
aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
Use the following steps to start a manual image scan using the AWS Management Console:
-
Open the Amazon ECR console.
-
From the navigation bar, choose the Region for your repository.
-
In the navigation pane, choose Repositories.
-
On the Repositories page, select the repository that contains the image.
-
On the Images page, select the image to scan, then choose Scan.