Ensure ECR Image Scan on Push Rule
This rule ensures ECR image scan on push is enabled for security compliance.
| Rule | Ensure ECR image scan on push is enabled |
| Framework | CloudDefense.AI Security |
| Severity | ✔ High |
Rule Description:
The rule states that ECR image scanning on push should be enabled for CloudDefense. This means that every time an image is pushed to the Amazon Elastic Container Registry (ECR), it should be automatically scanned by CloudDefense for vulnerabilities.
Enabling ECR image scan on push enhances the security of the ECR repository by identifying any known vulnerabilities in the container images before they are deployed. This helps in preventing the usage of insecure and potentially harmful images in production environments.
Troubleshooting Steps (if any):
If ECR image scan on push is not enabled for CloudDefense, you can follow the troubleshooting steps below:
- 1.
Verify IAM Permissions: Ensure that the IAM role or user associated with the ECR repository has the necessary permissions to enable image scanning on push. The required permission is
.ecr:SetRepositoryPolicy - 2.
Check CloudDefense Integration: Confirm that CloudDefense is properly integrated with your AWS account. Check if the necessary CloudDefense scanner is deployed and reachable. Validate the connection and ensure that the scanner is actively monitoring your ECR repositories.
- 3.
Review ECR Repository Settings: Double-check the repository settings in the Amazon ECR console. Verify that the "Scan on push" option is enabled for your repository.
- 4.
Verify Image Permissions: Ensure that the images you are trying to push have the required permissions for scanning. Check the image manifest and metadata to ensure that the CloudDefense scanner can access and scan the image.
Necessary Codes (if any):
In this case, no specific code is required as this rule is focused on enabling a configuration rather than implementing code.
Step-by-Step Guide for Remediation:
To enable ECR image scanning on push for CloudDefense, follow the step-by-step guide below:
- 1.
Open the Amazon ECR console in your AWS account.
- 2.
Select the ECR repository for which you want to enable image scanning on push.
- 3.
Click on the "Image scanning" tab.
- 4.
Under the "Scan on push" section, click on the "Edit" button.
- 5.
Enable the "Scan on push" option.
- 6.
In the "Scan schedule" dropdown, select the desired frequency for image scanning. Options include "Always" or a specific schedule like hourly, daily, or weekly.
- 7.
Click on the "Save" button to apply the changes.
- 8.
Validate that the CloudDefense scanner is actively monitoring the repository for image scans.
Now, whenever you push a new image to the ECR repository, CloudDefense will automatically scan it for vulnerabilities before allowing it to be used in production environments.