In order to pull the scan findings from ECR, a DescribeImageScanFindings API call is used by the AWS Lambda function, which will be triggered each time a scan is completed by ECR. A log group is created for each repository with the name format ‘/aws/ecr/image-scan-findings/repo-name’. Then, the findings for each image inside the repository will be sorted by severity. A log stream will be created for each severity found on this image (‘LOW’, ‘MEDIUM’, etc.), in addition to a summary log stream for all of the findings count. The Lambda function finally puts the sorted findings to the corresponding log stream.
- A client (could be a user or machine) triggers a scan for an image. This can be done manually (using the AWS Management Console, CLI, or SDK), or after the push of an image to the repository that has scan on push enabled.
- Amazon ECR scans the image. After the scan is complete, an event is sent to Amazon EventBridge confirming the completion of the scan.
- An EventBridge rule triggers a Lambda function based on matching the previous event with an expression.
The Lambda function will:
1. Analyze the event. The function fetches the account ID, image details (digest and tag), and repository name. 2. Use fetched information to request a DescribeImageScanFindings API call. 3. Create a log group for the corresponding repository, if one does not exist already. 4. Create log streams for each severity found in the findings, and puts each finding in the related log stream, in addition to a summary log stream.
After a successful scan and logging attempt by the solution, you can view all image scan findings from CloudWatch logs > the corresponding log group ‘/aws/ecr/image-scan-findings/repo-name’, with the ability to search for a specific vulnerability in all of the images associated with this repository.
Optional steps include:
1. Create CloudWatch alarms based on string matching to a vulnerability name, or a specific severity. 2. Create subscription filters for the log group such as Elasticsearch, Kinesis, and Lambda. 3. Archive the findings in S3.
The provided CloudFormation template will need the following permissions:
- Create a CloudFormation stack.
- Create an IAM execution role for the Lambda function that has the following actions: ecr:DescribeImageScanFindings logs:CreateLogStream logs:GetLogEvents logs:PutLogEvents logs:CreateLogGroup
- Create a Lambda function and resource-based permission to allow EventBridge to trigger this Lambda function.
- Create an EventBridge rule and set the trigger to be the Lambda function.
- Download the CloudFormation template.
- With the required permissions listed above, upload the CloudFormation template and create a stack.
- Test the solution by scanning an image on ECR. Then, go to CloudWatch and check log groups starting with ‘/aws/ecr/image-scan-findings/repository name’.
- Feel free to modify the Lambda function code within the template and/or create the resources manually.