Scan Amazon Elastic Container Registry (ECR) Images with cnspec
Scan Amazon Elastic Container Registry images for security vulnerabilities and misconfigurations with cnspec.
The Amazon Elastic Container Registry (ECR) stores container images within AWS. To learn the basics, read the Getting Started Guide in the AWS documentation.
When cnspec scans an AWS account, it can automatically discover and scan all ECR images in the account.
If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Prerequisites
Ensure your AWS credentials are configured:
cat ~/.aws/credentials[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYTo use a specific profile, set AWS_PROFILE:
export AWS_PROFILE=mondooTo target a specific region, set AWS_REGION:
export AWS_REGION=us-east-1Scan ECR
After your AWS credentials are in place, cnspec can discover and scan ECR images:
cnspec scan aws --discover ecrcnspec resolves the images that exist in the account, applies the OS security policies that match each image's platform (Linux, in most cases), and reports vulnerabilities and misconfigurations:
→ discover related assets for 1 asset(s)
→ synchronize assets
luna-mars@sha256:ad2e043042a3...3d22d8d4 ━━━━━━━━━━ 100% score: B
Asset: luna-mars@sha256:ad2e043042a3...3d22d8d4
-----------------------------------------------
Checks:
✓ Pass: A 100 Ensure permissions on all logfiles are configured
✓ Pass: A 100 Ensure system accounts are non-login
✕ Fail: C 50 Ensure auditd is installed
✕ Fail: C 50 Ensure rsyslog is installed
✕ Fail: D 25 Ensure ICMP redirects are not accepted
✓ Pass: A 100 Platform is not end-of-life
Vulnerabilities:
■ SCORE PACKAGE INSTALLED FIXED
■ 6.5 libpam-modules 1.4.0-11ubuntu2 1.5.2-6ubuntu1.1
Scanned 1 assetTo scan a specific repository or image directly, use cnspec scan docker:
cnspec scan docker 123456789012.dkr.ecr.us-east-1.amazonaws.com/luna-mars:latestLearn more
- Secure Amazon Web Services (AWS) with cnspec: scan AWS accounts and discover ECR alongside other AWS services
- Secure Docker Images with cnspec: scan a specific image from any registry
- Write Effective MQL: guide to authoring checks and queries