Views:
Profile applicability: Level 2 - Cluster / Control Plane
Scan images deployed to Amazon EKS for vulnerabilities to mitigate the risk of exploitation by hackers or malicious users who might leverage software package vulnerabilities to gain unauthorized access to local cloud resources. Amazon Elastic Container Registry (ECR) and other third-party products offer functionality to scan images for known vulnerabilities. In the case of using AWS ECR, certain common image scan failures can occur. For instance, an UnsupportedImageError may arise if the image was built using an unsupported operating system, as Amazon ECR supports package vulnerability scanning only for major versions of specific Linux distributions such as Amazon Linux, Debian, Ubuntu, CentOS, Oracle Linux, Alpine, and RHEL. Additionally, scan findings might return a severity level of UNDEFINED if the CVE source has not assigned a priority or if it's a priority Amazon ECR does not recognize. To accurately assess the severity and details of a vulnerability, the CVE can be viewed directly from the source.

Impact

If you are utilizing AWS ECR, common image scan failures can occur. Errors can be viewed in the Amazon ECR console, or through the API or AWS CLI using the DescribeImageScanFindings API.
UnsupportedImageError: This error may appear when attempting to scan an image built on an unsupported operating system. Amazon ECR supports vulnerability scanning for major versions of Amazon Linux, Debian, Ubuntu, and other distributions but not for images built from the Docker scratch image.
Undefined severity level: This may occur when the vulnerability is not prioritized by the CVE source or recognized by Amazon ECR.

Audit

Please follow the guidelines from AWS ECR or your third-party provider for enabling image scanning.
aws ecr describe-repositories --repository-names $REPO_NAME --region $REGION_CODE

Remediation

To utilize AWS ECR for image scanning, follow these steps:
Create a repository configured for scan on push (AWS CLI):
aws ecr create-repository --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
Edit the settings of an existing repository (AWS CLI):
aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
Use the following steps to start a manual image scan using the AWS Management Console:
  1. Open the Amazon ECR console.
  2. From the navigation bar, choose the Region for your repository.
  3. In the navigation pane, choose Repositories.
  4. On the Repositories page, select the repository that contains the image.
  5. On the Images page, select the image to scan, then choose Scan.