Hey DevOps folks and cloud builders! π
Big news from AWS: Amazon ECR (Elastic Container Registry) just got smarter with its Enhanced Scanning feature.
It now tells you not just what vulnerabilities exist in your container images β but also where and if those images are even being used in your ECS or EKS clusters.
π What Changed?
Before
You could scan container images in ECR and get a list of vulnerabilities using Amazon Inspector.
Now (as of June 2025)
You also get usage insights, including:
- β Last used date
- π¦ Number of ECS/EKS clusters using the image
- π Cluster ARNs (where the image is running)
This info is surfaced in both the ECR Console and Amazon Inspector.
π§ Why This Matters
Letβs say you have dozens of images in ECR. You run a vulnerability scan and get alerts.
Butβ¦
- π Are those images even in use anymore?
- π‘ Which ones are actually powering your production apps?
Now you can know.
π οΈ Real-World Example
You have two images in ECR:
backend-service:latest
- Used in 3 EKS clusters
- Last used yesterday
legacy-app:v1.2
- β Not used in any cluster
- Last used 8 months ago
With this update, you can now:
- Focus your remediation on the backend-service:latest image
- Safely ignore or delete legacy-app:v1.2
- Save time and effort by fixing only what really matters
π‘ Benefits
- β Prioritize vulnerabilities on actively-used images
- π§Ή Clean up unused/outdated images
- π Make smarter, faster security decisions
- π Automatically updates as image usage changes
π Where to View It
- ECR Console β Scan results
- Amazon Inspector Console β Findings
- Or use APIs to fetch usage data programmatically
π§ͺ My Take
This update feels like a small tweak β but it massively boosts visibility and efficiency.
Perfect for teams juggling multiple microservices, environments, and deployments.
Less noise. More clarity. Smarter security. πͺ
Have you tried this yet? Let me know what you think!
Top comments (0)