How to Scan AWS ECR Images

Purpose

This document describes the use case where images are stored on AWS ECR.

Introduction

Amazon Elastic Container Registry (Amazon ECR) is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images and artifacts.

AWS ECR requires a specific procedure to log in to ECR repository, a temporary password needs to be created with a fixed 12 hours before expiring. 

Procedure

Prerequisite

AWS ECR web service to store images. 

Create Account

Steps to create account:

1. On AWS customer console create an IAM account with ECR read only privileges
2. Generate the temporary password by using AWS CLI
3. Create/update a scan docker-type account on HIAB 

Create IAM Account on AWS Console

To create an IAM Account on AWS Console:

1. Log in to AWS console.
2. Select IAM.
3. Select Users in the left-hand side tab then click on Add user.
4. Provide a user name such as ECR_user_read_only and select Programmatic access then click on Next: Permissions.
   
   

   

   
   
   
5. Under Set permission select Attach existing policies directly and Search for Registry then check the box

   

    AmazonEC2ContainerRegistryReadOnly then click on Next: Tags.
   
   

   

   
   
   
6. You may add a tag such as key set to context and value HIAB then click on Next: Review.
   
   

   

   
   
   
7. Finally review the user account settings, go back if you need to fix a value. When review is done, click on Create user.
   
   

   

   
   
   
8. Copy the Access Key ID and Secret Access Key that are generated when the user account is created.

When done you shall have an Access Key ID and Secret Access Key which are required for the next steps.

Generate Temporary Password from AWS CLI

You need to have AWS CLI installed, if not then install it (https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).

Prior to generate the password you need to create a configuration profile.

To create a profile on AWS CLI , do the following:

1. Run aws configure --profile hiab , and put hiab as profile or any other profile name that may better suit you.

   aws configure --profile hiab

2. Then enter the Access Key ID and Secret Access Key that where generated in step 7 in the How to Scan AWS ECR Images#Create IAM Account on AWS Console section.
3. Then enter the region name where your ECR repositories are located, ignore the last entry.

4. Check the profile you entered by typing aws configure --profile hiab (or the profile name from step 1).

   aws configure --profile hiab

When the profile is configured, a temporary password can be generated which is required to access ECR repository through docker by doing the following:

1. Run the command aws ecr get-login-password --profile hiab --region <our_ecr_repository_region>, and copy the output.

   aws ecr get-login-password --profile hiab --region <our_ecr_repository_region>

When done you shall have a password which is valid during 12 hours. 

It should be something like:

eyJwYXlsb2FkIjoiWkdLRFpCLzBWeUQ0UU8rb2pFQUhadGVHNmRFK2h6VUo1MHBOelBkVnBTZXIzaUZSWTJWTXF0UjVRMGgzaDZiTlN5R1o4V3AwcitLZ3VNQkZnNpTXZtR1pBaTBEMExDOXphbGFFYjZwbXlXdmw4UXVJU3U1eU1OK1hyYU9MOTZTS0RSNGZiaHVvQ1ZWK3AzYVA4VXlFQjlucTl3SlRSNEFCczJvbzFoUzRRMFdLL3JqczBYYVNRdzBpZk9XTGU2YXFhZCt0bXIyK2tJK09LWXkyTi9aY3M3UlZHSmVVOElxSDhjSjlxVUEyVmplSnFJSXYycGRZZ1ZuVDNCbmIyeWgxVWR1OWJjdFRHeGNZbkcwNVdscjU2RkNqajNxdVRVeWdJK2VqRVlIZFJNNzNLTStZWmtrQ0VQL1VtWjF3NmFObkNVK2I0Nm9JTGhDaXFKWTZzSmh3UEtxc0xWcnJTWHV4UnFGNmqq5IVnFKOSswTHM1OVdjelEycmkwS0dQQWZoZ0llczJpa2hzeER0a00yakIrYUZoMWptK3NWS0R5VzA5RzVqL2JUSUU1Rkl3eVMrUk16dDY0elM4U01FWDYyQ2hiQXVhdlpZN0RuSmI0RzU2cmtOQlIxZ0x3OUJsZ21QVFh3UFBtTU4yZzVHR3YrSnBPRjVueW1hTFQzV1VPQ1ZhUTdxZ3drS2dnWHBIQVZpWmgxQmtmSnp1c3FaSjFYYWR4K3hlWkJnTXdsYitqU0RoWFBNZTZKMWFCVFBnbUQzUVQwK3NRNUs0MzhWc2ltVUFqdHV0Mno5bWVkbWZISENraUZoalJraWoxOG02Z29LTGVVUkhNM1F0cGdQbjI0eFBLaTJ3dlBNS3hjqhprTzN0VTIzWit6U3gxUy9RM00rWFZqbExKWWJodENFcVRxMC91TXRJaUFIZ3FsMW55R3JtdUhPeTJYbHBMdVd5djcTFsVWR6VnRuNmFHaTkyaC8wbCtrQi8xdHAzYXBubFZVb2d2c1l5NE05YXIxKzVVeEh0ZmZnWDdkN1R4U1ZQY0pDayt2bnZFVFlTZEpPTmx5M1U0bTdMS0tBSitRY01WejRxMXRmaW1VWE9jWnBJZE1wWnRvYUo3ZE5WcklRaFdQR1phUjJtazhUbUkwSEtCMDIvRDZDbjZqOFY5dmlGTWpYUXdEWG5VbVNqOU0zNTB1bnZCUXZDTTJHRHEyZTRYN2hEeHRMNzVad2xxNVQwNlhkc3pTcmlTZnZRTGlWOUM1SXBHcTAxdHZWbEovL3RxRmhOOUZ0WnJwby8yc2p2UDdDblFQV2ZyaDh2K20va0p0aFU3Rk9iVnlYaTZ4Y3JneEtkY2V2OHRDNFBaS0xPUWNCZkE1SVN5b0p3RjlKSVRGaWJQSWR5Q3NsSElyK3RsNGxJeWFGcmdaS3EvbEFFNHZpd0Z4YTNEcmtKeXVhZmtKaHJWTWJuSitWNnh3STFpMXljRkcxNThLVjd2My9nZ2xnSlgyRnI1L1VmZnBFT3IxWVFYZTdIOVBkU2s4aDV2TjJZNlFPcDBIK1BXWFl1MC9tWThXRTNNZHVvcytRQnBhWFFjZ25tb0lPUyIsImRhdGFrZXkiOiJBUUVCQUhpakVGWEd3RjFjaXBWT2FjRzhxUm1Kb1ZCUGF5OExVVXZVOFJDVlYwWG9Id0FBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVESmFST0xyUVo4VG1vSktoaXdJQkVJQTdPUEhqTnNZcEZlMGcwM3gxbzN4SVpld2E0TFNmKzdLbm5Fb0xtajZqNE9XYmErbHVBNWRRWFNlUjNOcGQwcnFaelQxSk5UVUxVUHExUDVjPSIsInZlcnNpb24iOiIyIiwidHlwZSI6IkRBVEFfS0VZIiwiZXhwaXJhdGlvbiI6MTU5NzQzMDA3M30=

Create a Scan Docker-type Account on HIAB

To create a Scan Docker-type Account on a HIAB:

1. Log in to the HIAB.
2. Select Portal in the Main Menu.
3. On the portal click on the account button in the upper right corner to open account options.
4. On Account select Credentials.
5. On Credentials click on Add credential in the lower right corner.
6. On Add credentials, Select Docker type account.
7. Fill in the name, example: ECR-repository.
8. I the Docker registry enter the aws ecr, if you do not know it you can retrieve from the AWS console (ECR service).  The URL shall be something like https://xxxxxxxxx.dkr.ecr.yyyyy.amazonaws.com where xxxxxxxxx refers to your AWS account and yyyy the region where your ECR repository is located. example:  https://9624029378562056.dkr.ecr.us-west-1.amazonaws.com.
9. Enter AWS as username.
10. Paste the temporary password in the Password field. (See section How to Scan AWS ECR Images#Generate Temporary Password from AWS CLI on how to generate the password.)
11. Click on ADD.

Once these steps has been performed, a new docker account is created.  When more docker accounts are created on HIAB, a docker discovery can be performed to retrieve the list of images located on your registries and to perform a docker scan on any discovered images.

Example:

Troubleshooting When Scanning ECR Repository

The ECR requires a temporary password which expires after 12 hours. 

When the password has expired, the following errors are displayed on HIAB:

• On a docker discovery, the discovery fails with Failed to get images from docker registry. 403 Forbidden error message.
• On a image scan, the scan fails with message Login failure.

ECR Scan Examples

Docker discovery configuration.

Docker discovery scan.

Docker discovery result, for example assets.

Docker image scan configuration.

Docker image scan.

Docker image scan result, for example findings/vulnerabilities.

_Copyright

_{© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}