AWS Config Rule: ECR Scan On Push

ECR_SCAN_ON_PUSH

Ryan Ware

Last Update a year ago

Description: Checks if all Amazon ECR Images are configured with "Scan On Push". This Setting will ensure that each push of a new image to ECR will trigger a scan for vulnerabilities from AWS.


Trigger type: Periodic


AWS Region: All supported AWS regions


How to Resolve Manually

To manually resolve this, you will need to first head on over to the Amazon ECR Dashboard. You will need to do this in multiple regions if you have repositories hosted within more than one AWS Region.


Once you are here, view your public and private repositories. To view your Image Scan Settings, select a chosen repository by selecting the circle next to the Repository Name, and then choose the Edit button at the top of the ECR Dashboard.


Once open, scroll down slightly to see the Image Scan Settings, as displayed below. To enable Scan On Push, click on the toggle button which is by default, disabled.

Do remember though, that this setting is disabled by default, at the time of writing due to it being deprecated by AWS in favour of registry-level scan configurations. Also known as Enhanced Scanning, this method will continuously scan your repositories at the registry level to find vulnerabilities in your container images.


Enhanced Scanning however, will come at an additional AWS cost as it leverages Amazon Inspector. If you are using Amazon Inspector already however, consider the change to make use of Enhanced Scanning if this looks to be an improvement for your architecture.


How to Resolve with StackZone

The Config Rule comes with an Auto-Remediation option which will be able to target all of your ECR Repositories across your Organization.


StackZone will be able to set all repositories to have Scan On Push enabled. 


However, you may want some repositories to not have this enabled, to assist with this we also give you the chance to set exempted names as a configurational setting for the auto-remediation.


This means that you can have StackZone change all ECR Repositories to have Scan On Push enabled, with the exception of certain names which you provide.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us