By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Working with AWS Inspector ECR Findings - How do you do it?

0

I've enabled AWS Inspector and Security hub across my organization with all scanning modes. Ideally, I'd like to use either the official Jira Service Management integration or the aws-samples version for Jira software (https://github.com/aws-samples/aws-securityhub-jira-software-integration) as a way of integrating these findings into something that lets me manage them.

The problem is, when I look at the findings for ECR I can see there are a lot of duplications and would therefore create a lot of noise and duplicate tickets. This is because the same vulnerability is detected across every image in the repo (there are hundreds in each repo). Which is then magnified again when the same base image is used across multiple repos (there are about 50 repos). Really, I only care if a vulnerability is detected in the most recent image.

I tried creating a suppression rule but Inspector's suppression rules are way too basic. Say I want to suppress any image that does not have the "latest" tag. This means any image that has both the "latest" tag and another tag of any name is then suppressed. So either I have to create a separate repo specifically for inspector scans or I make sure the tag I want to scan has a different digest somehow.

I guess all of this is to compensate for a Jira integration that doesn't handle the aggregation. So my question really is, how do you consume and act on Inspector findings?

1 Answer
1

Hello,



When you activate Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces the default Basic scanning, which is provided at no charge by Amazon ECR, with Enhanced scanning, which is provided and billed through Amazon Inspector [1]

Enhanced scanning gives you a choice between continuous scanning or on-push scanning at the repository level. Continuous scanning includes on-push scans and automated rescans. On-push scanning scans only when you initially push an image. For both options, you can refine the scanning scope through inclusion filters.

Also automated re scans are triggered for container images based on whether you use the continuous or on-push option in your Enhanced scanning settings.

Configuring enhanced scanning for Amazon ECR repositories:

  1. Open the Amazon ECR console 

  2. Select the Region that contains the repositories that you want to scan. 

  3. In the navigation pane, choose Private registry, then choose Scanning. 

  4. In the Scanning configuration section, choose Edit. 

  5. Under Scan type, choose Enhanced scanning.

    By default, the Continuously scan all repositories option is selected which turns on complete Amazon Inspector scan coverage for all repositories. Deselect that option and select Scan on push all repositories to run scans only on initial push of an image.


  6. (Optional) Specify which repositories to include in scans for continuous or on-push scans by entering the repository names in the input box and selecting Add filter.


  7. Choose Save.

  8. (Recommended) Repeat these steps in each AWS Region for which you want to activate Amazon Inspector scans for Amazon ECR repositories.

Now to Act upon Inspector findings, kindly find below link [2] which mentions all the bulletins for security or privacy events pertaining to the Amazon Linux AMI.

Thank you,

References : 

 [1] https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html
 [2] https://alas.aws.amazon.com/

AWS
answered 2 years ago
  • Thanks for this info. The direction I was going in with my question was more relating to business process than the technicalities of how to remediate individual findings. I.e. Inspector has detected hundreds (or thousands) of findings... So now how do we work out within the business what findings are effective duplicates and which findings matter. Of course, this is entirely dependent on everyone's individual circumstances but I was interested to hear some examples.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions