How to Scan AWS ECR Images

Purpose

This document describes the use case where images are stored on AWS ECR.

Introduction

Amazon Elastic Container Registry (Amazon ECR) is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images and artifacts.
The How to Scan AWS ECR Images feature describes the process for enabling vulnerability scanning of container images stored in Amazon Elastic Container Registry (ECR). Because AWS ECR access requires a short-lived authentication token (valid for only 12 hours), the workflow details how to create an IAM user or role, generate the temporary password via AWS CLI, and then configure a Docker-type credential on a HIAB appliance. Once set up, this allows Outpost24 to discover, authenticate to, and scan the images in your ECR registry.

Procedure

Prerequisite

AWS ECR web service to store images. 

Create Account

Steps to create account:

1. On AWS customer console create an IAM account with ECR read only privileges.

2. Generate the temporary password by using AWS CLI.

3. Create/update a scan docker-type account on HIAB.

Create IAM Account on AWS Console

To create an IAM Account on AWS Console:

1. Log in to AWS console.

2. Select IAM.

3. Select Users in the left-hand side tab then click on Add user.

4. Provide a user name such as ECR_user_read_only and select Programmatic access then click on Next: Permissions.
   
   

   

   
   

5. Under Set permission select Attach existing policies directly and Search for Registry then check the box AmazonEC2ContainerRegistryReadOnly then click on Next: Tags.
   

   

6. You may add a tag such as key set to context and value HIAB then click on Next: Review.
   

   

   
   

7. Finally review the user account settings, go back if you need to fix a value. When review is done, click on Create user.
   

   

   
   

8. Copy the Access Key ID and Secret Access Key that are generated when the user account is created.

When done you shall have an Access Key ID and Secret Access Key which are required for the next steps.

Generate Temporary Password from AWS CLI

You need to have AWS CLI installed, if not then install it (https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).

Prior to generate the password you need to create a configuration profile.

To create a profile on AWS CLI , do the following:

1. Run aws configure --profile hiab , and put hiab as profile or any other profile name that may better suit you.

2. Then enter the Access Key ID and Secret Access Key that where generated in step 7 in the Create IAM Account on AWS Console section.

3. Then enter the region name where your ECR repositories are located, ignore the last entry.

4. Check the profile you entered by typing aws configure --profile hiab (or the profile name from step 1).

When the profile is configured, a temporary password can be generated which is required to access ECR repository through docker by doing the following:

1. Run the command aws ecr get-login-password --profile hiab --region <our_ecr_repository_region>, and copy the output.

When done, you have a password which is valid during 12 hours. 

It should be something like:

Create a Scan Docker-type Account on HIAB

To create a Scan Docker-type Account on a HIAB:

1. Log in to the HIAB.

2. Select Portal in the Main Menu.

3. On the portal click on the account button in the upper right corner to open account options.

4. On Account select Credentials.

5. On Credentials click on Add credential in the lower right corner.

6. On Add credentials, Select Docker type account.

7. Fill in the name, example: ECR-repository.

8. In the Docker registry enter the aws ecr, if you do not know the aws ecr, you can retrieve it from the AWS console (ECR service).  The URL looks like: https://xxxxxxxxx.dkr.ecr.yyyyy.amazonaws.com where xxxxxxxxx refers to your AWS account and yyyy the region where your ECR repository is located. For example:  https://9624029378562056.dkr.ecr.us-west-1.amazonaws.com.

9. Enter AWS as the username.

10. Paste the temporary password in the Password field. (See section Generate Temporary Password from AWS CLI on how to generate the password.)

11. Click on ADD.

Once these steps has been performed, a new docker account is created.  When more docker accounts are created on HIAB, a docker discovery can be performed to retrieve the list of images located on your registries and to perform a docker scan on any discovered images.

Example:

Troubleshooting When Scanning ECR Repository

The ECR requires a temporary password which expires after 12 hours. 

When the password has expired, the following errors are displayed on HIAB:

• On a docker discovery, the discovery fails with Failed to get images from docker registry. 403 Forbidden error message.

• On a image scan, the scan fails with message Login failure.

ECR Scan Examples

Docker discovery configuration.

Docker discovery scan.

Docker discovery result, for example assets.

Docker image scan configuration.

Docker image scan.

Docker image scan result, for example findings/vulnerabilities.

_Copyright

_{© 2025 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}