AWS-ECR-Scan-on-ECR-Image-Push-Disabled

Severity : Medium

Description : Ensures ECR image scan on push.

Description: This control ensures that ECR repository have enabled image scanning when images are pushed to the repositories. ECR uses the Common Vulnerabilities and Exposures (CVEs) database and provides a list of scan findings and ECR image scanning helps in finding out the software vulnerabilities in container images. If scan on push is enabled for a repository, new images being pushed are scanned automatically and findings are logged in cloud watch. Its recommended to enable the scanning on the images.

Remediation Steps:

Perform following to to update the ECR Policy :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. From service menu, Open the Amazon ECR console.

3. In the navigation pane, choose Repositories.

4. On the Repositories page, choose the repository to reconfigure.

5. Select Edit.

6. Under Image scan settings section, Enable Scan on push.

7. Click Save.

Important:

Reference:

• https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-repository