Introduction

The purpose of the document is to describe the use case where images are stored on AWS ECR.

AWS ECR requires a specific procedure to log in to ECR repository, a temporary password needs to be created with a fixed 12 hours before expiring. 

Prerequisite

AWS ECR web service to store images. 

Procedure

Steps to create account:

  1. On AWS customer console create an IAM account with ECR read only privileges
  2. Generate the temporary password by using AWS CLI
  3. Create/update a scan docker-type account on HIAB 

Create IAM Account on AWS Console

To create an IAM Account on AWS Console:

  1. Log in to AWS console.
  2. Select IAM.
  3. Select Users in the left-hand side tab then click on Add user.
  4. Provide a user name such as ECR_user_read_only and select Programmatic access then click on Next: Permissions.



  5. Under Set permission select Attach existing policies directly and Search for Registry then check the box  AmazonEC2ContainerRegistryReadOnly then click on Next: Tags.



  6. You may add a tag such as key set to context and value HIAB then click on Next: Review.



  7. Finally review the user account settings, go back if you need to fix a value. When review is done, click on Create user.



  8. Copy the Access Key ID and Secret Access Key that are generated when the user account is created.

When done you shall have an Access Key ID and Secret Access Key which are required for the next steps.

Generate Temporary Password from AWS CLI

Note

You need to have AWS CLI installed, if not then install it (https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).

Prior to generate the password you need to create a configuration profile.

To create a profile on AWS CLI , do the following:

  1. Run aws configure --profile hiab , and put hiab as profile or any other profile name that may better suit you.

    aws configure --profile hiab
  2. Then enter the Access Key ID and Secret Access Key that where generated in step 7 in the Create IAM Account on AWS Console section.
  3. Then enter the region name where your ECR repositories are located, ignore the last entry.
  4. Check the profile you entered by typing aws configure --profile hiab (or the profile name from step 1).

    aws configure --profile hiab

When the profile is configured, a temporary password can be generated which is required to access ECR repository through docker by doing the following:

  1. Run the command aws ecr get-login-password --profile hiab --region <our_ecr_repository_region>, and copy the output.

    aws ecr get-login-password --profile hiab --region <our_ecr_repository_region>

When done you shall have a password which is valid during 12 hours. 

It should be something like:

eyJwYXlsb2FkIjoiWkdLRFpCLzBWeUQ0UU8rb2pFQUhadGVHNmRFK2h6VUo1MHBOelBkVnBTZXIzaUZSWTJWTXF0UjVRMGgzaDZiTlN5R1o4V3AwcitLZ3VNQkZnNpTXZtR1pBaTBEMExDOXphbGFFYjZwbXlXdmw4UXVJU3U1eU1OK1hyYU9MOTZTS0RSNGZiaHVvQ1ZWK3AzYVA4VXlFQjlucTl3SlRSNEFCczJvbzFoUzRRMFdLL3JqczBYYVNRdzBpZk9XTGU2YXFhZCt0bXIyK2tJK09LWXkyTi9aY3M3UlZHSmVVOElxSDhjSjlxVUEyVmplSnFJSXYycGRZZ1ZuVDNCbmIyeWgxVWR1OWJjdFRHeGNZbkcwNVdscjU2RkNqajNxdVRVeWdJK2VqRVlIZFJNNzNLTStZWmtrQ0VQL1VtWjF3NmFObkNVK2I0Nm9JTGhDaXFKWTZzSmh3UEtxc0xWcnJTWHV4UnFGNmqq5IVnFKOSswTHM1OVdjelEycmkwS0dQQWZoZ0llczJpa2hzeER0a00yakIrYUZoMWptK3NWS0R5VzA5RzVqL2JUSUU1Rkl3eVMrUk16dDY0elM4U01FWDYyQ2hiQXVhdlpZN0RuSmI0RzU2cmtOQlIxZ0x3OUJsZ21QVFh3UFBtTU4yZzVHR3YrSnBPRjVueW1hTFQzV1VPQ1ZhUTdxZ3drS2dnWHBIQVZpWmgxQmtmSnp1c3FaSjFYYWR4K3hlWkJnTXdsYitqU0RoWFBNZTZKMWFCVFBnbUQzUVQwK3NRNUs0MzhWc2ltVUFqdHV0Mno5bWVkbWZISENraUZoalJraWoxOG02Z29LTGVVUkhNM1F0cGdQbjI0eFBLaTJ3dlBNS3hjqhprTzN0VTIzWit6U3gxUy9RM00rWFZqbExKWWJodENFcVRxMC91TXRJaUFIZ3FsMW55R3JtdUhPeTJYbHBMdVd5djcTFsVWR6VnRuNmFHaTkyaC8wbCtrQi8xdHAzYXBubFZVb2d2c1l5NE05YXIxKzVVeEh0ZmZnWDdkN1R4U1ZQY0pDayt2bnZFVFlTZEpPTmx5M1U0bTdMS0tBSitRY01WejRxMXRmaW1VWE9jWnBJZE1wWnRvYUo3ZE5WcklRaFdQR1phUjJtazhUbUkwSEtCMDIvRDZDbjZqOFY5dmlGTWpYUXdEWG5VbVNqOU0zNTB1bnZCUXZDTTJHRHEyZTRYN2hEeHRMNzVad2xxNVQwNlhkc3pTcmlTZnZRTGlWOUM1SXBHcTAxdHZWbEovL3RxRmhOOUZ0WnJwby8yc2p2UDdDblFQV2ZyaDh2K20va0p0aFU3Rk9iVnlYaTZ4Y3JneEtkY2V2OHRDNFBaS0xPUWNCZkE1SVN5b0p3RjlKSVRGaWJQSWR5Q3NsSElyK3RsNGxJeWFGcmdaS3EvbEFFNHZpd0Z4YTNEcmtKeXVhZmtKaHJWTWJuSitWNnh3STFpMXljRkcxNThLVjd2My9nZ2xnSlgyRnI1L1VmZnBFT3IxWVFYZTdIOVBkU2s4aDV2TjJZNlFPcDBIK1BXWFl1MC9tWThXRTNNZHVvcytRQnBhWFFjZ25tb0lPUyIsImRhdGFrZXkiOiJBUUVCQUhpakVGWEd3RjFjaXBWT2FjRzhxUm1Kb1ZCUGF5OExVVXZVOFJDVlYwWG9Id0FBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVESmFST0xyUVo4VG1vSktoaXdJQkVJQTdPUEhqTnNZcEZlMGcwM3gxbzN4SVpld2E0TFNmKzdLbm5Fb0xtajZqNE9XYmErbHVBNWRRWFNlUjNOcGQwcnFaelQxSk5UVUxVUHExUDVjPSIsInZlcnNpb24iOiIyIiwidHlwZSI6IkRBVEFfS0VZIiwiZXhwaXJhdGlvbiI6MTU5NzQzMDA3M30=


Create a Scan Docker-type Account on HIAB

To create a Scan Docker-type Account on a HIAB:

  1. Log in to the HIAB.
  2. Select Portal in the Main Menu.
  3. On the portal click on the account button in the upper right corner to open account options.
  4. On Account select Credentials.
  5. On Credentials click on Add credential in the lower right corner.
  6. On Add credentials, Select Docker type account.
  7. Fill in the name, example: ECR-repository.
  8. I the Docker registry enter the aws ecr, if you do not know it you can retrieve from the AWS console (ECR service).  The URL shall be something like https://xxxxxxxxx.dkr.ecr.yyyyy.amazonaws.com where xxxxxxxxx refers to your AWS account and yyyy the region where your ECR repository is located. example:  https://9624029378562056.dkr.ecr.us-west-1.amazonaws.com.
  9. Enter AWS as username.
  10. Paste the temporary password in the Password field. (See section Generate Temporary Password from AWS CLI on how to generate the password.)
  11. Click on ADD.

Once these steps has been performed, a new docker account is created.  When more docker accounts are created on HIAB, a docker discovery can be performed to retrieve the list of images located on your registries and to perform a docker scan on any discovered images.


Example:

Troubleshooting When Scanning ECR Repository

The ECR requires a temporary password which expires after 12 hours. 

When the password has expired, the following errors are displayed on HIAB:

  • On a docker discovery, the discovery fails with Failed to get images from docker registry. 403 Forbidden error message.
  • On a image scan, the scan fails with message Login failure.

ECR Scan Examples

Docker discovery configuration.

Docker discovery scan.

Docker discovery result, for example assets.

Docker image scan configuration.

Docker image scan.

Docker image scan result, for example findings/vulnerabilities.