DEV Community

shah-angita for platform Engineers

Posted on

Using Amazon ECR Image Scanning and AWS Security Hub for Vulnerability Management

Vulnerability management is a critical aspect of securing cloud-native applications. In this blog post, we will explore how to use Amazon Elastic Container Registry (ECR) Image Scanning and AWS Security Hub to identify and remediate vulnerabilities in container images.

Amazon ECR Image Scanning is a fully managed vulnerability scanning service that enables you to identify vulnerabilities in container images stored in Amazon ECR. It uses the open-source tool, Clair, to scan images for known vulnerabilities and provides a detailed report of the findings.

AWS Security Hub is a service that provides a centralized view of security alerts and compliance status across multiple AWS accounts and services. It aggregates security findings from various AWS services, including Amazon ECR Image Scanning, and provides a single pane of glass for security teams to manage and remediate vulnerabilities.

To get started with Amazon ECR Image Scanning, you need to enable it for your Amazon ECR repository. You can do this by navigating to the Amazon ECR console, selecting the repository, and clicking on the "View push commands" button. This will display the command to enable image scanning for the repository.

Once image scanning is enabled, you can start pushing container images to the repository. Amazon ECR Image Scanning will automatically scan the images for known vulnerabilities and provide a detailed report of the findings.

Here is an example of the command to push an image to an Amazon ECR repository with image scanning enabled:

aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <account-id>.dkr.ecr.us-west-2.amazonaws.com

docker tag <image-name>:<tag> <account-id>.dkr.ecr.us-west-2.amazonaws.com/<repository-name>:<tag>

docker push <account-id>.dkr.ecr.us-west-2.amazonaws.com/<repository-name>:<tag>
Enter fullscreen mode Exit fullscreen mode

After pushing the image, you can view the scan results in the Amazon ECR console. The console displays the number of vulnerabilities found, the severity of the vulnerabilities, and the affected packages.

To view the detailed report of the scan results, you can use the AWS CLI or the Amazon ECR API. Here is an example of the command to retrieve the scan results using the AWS CLI:

aws ecr describe-image-scan-findings --repository-name <repository-name> --image-id <image-digest>
Enter fullscreen mode Exit fullscreen mode

This command returns a JSON object that contains the scan results, including the vulnerability details, the affected packages, and the CVSS score.

Now that we have the scan results, we can use AWS Security Hub to aggregate and manage the vulnerabilities. To do this, we need to enable AWS Security Hub for our AWS account and configure it to ingest findings from Amazon ECR Image Scanning.

Here is an example of the command to enable AWS Security Hub:

aws securityhub enable-organization-admin-account --admin-account-id <admin-account-id>
Enter fullscreen mode Exit fullscreen mode

Once AWS Security Hub is enabled, we can use the AWS Management Console to configure it to ingest findings from Amazon ECR Image Scanning. To do this, we need to create a custom rule that triggers when a new finding is generated by Amazon ECR Image Scanning.

Here is an example of the custom rule configuration:

  • Rule name: ECR Image Scanning Findings
  • Description: Triggers when a new finding is generated by Amazon ECR Image Scanning
  • Event source: Amazon Elastic Container Registry
  • Event type: Image Scan Findings
  • Severity: Critical, High, Medium, Low
  • Resource type: Amazon ECR Image

Once the custom rule is created, AWS Security Hub will start ingesting findings from Amazon ECR Image Scanning and display them in the AWS Management Console. The console provides a centralized view of the vulnerabilities, including the severity, the affected resources, and the recommended remediation steps.

To remediate the vulnerabilities, we can use the AWS Management Console to create a remediation action. A remediation action is a set of steps that can be taken to address a vulnerability. Here is an example of the remediation action configuration:

  • Remediation action name: Update affected package
  • Description: Updates the affected package to the latest version
  • Resource type: Amazon ECR Image
  • Severity: Critical, High, Medium, Low
  • Remediation steps:
    1. Pull the latest version of the affected package
    2. Build a new container image with the updated package
    3. Push the new container image to Amazon ECR
    4. Update the affected resources to use the new container image

Once the remediation action is created, we can use the AWS Management Console to apply it to the affected resources. AWS Security Hub provides a workflow for tracking the remediation progress and verifying that the vulnerabilities have been addressed.

In conclusion, Amazon ECR Image Scanning and AWS Security Hub provide a powerful solution for vulnerability management in container-based applications. By using these services together, we can identify and remediate vulnerabilities in container images, and ensure that our applications are secure and compliant.

Top comments (0)