Differences between Amazon ECR and Inspector image scanning capabilities
Table of contents
- Points to note when using Enhanced scanning
- Try Enhanced scanning
- Official Documents
At AWS re:Invent 2021, the vulnerability management service Amazon Inspector was redesigned and released as the all-new Amazon Inspector (v2). The new Inspector not only scans EC2 but also scans container images stored in Amazon ECR.
Improved, Automated Vulnerability Management for Cloud Workloads with a New Amazon Inspector aws.amazon.com/jp/blogs/aws/improved-automa..
With the introduction of image scanning by Inspector, the ECR scanning function is now called Basic scanning, while the Inspector scanning function is called Enhanced scanning. The main differences between Basic scanning and Enhanced scanning are as follows.
|Vulnerability Detection Target
|OS packages only
|OS and programming language packages
|Vulnerability Detection Timing
|When the image is pushed
|When vulnerabilities occur
|Amazon EventBrdige Integration
|Yes (Scan result summary only)
|AWS Security Hub Integration
|AWS Organizations Integration
Vulnerability Detection Target
Basic scanning provides a scan using the CVE database of the open-source Clair project. Only OS packages are targeted for vulnerability detection.
Enhanced scanning is capable of detecting vulnerabilities in programming language packages in addition to OS packages. Supported programming languages are as follows.
Supported operating systems and programming languages docs.aws.amazon.com/inspector/latest/user/s..
Vulnerability Detection Timing
Basic scanning can be triggered when an image is pushed (Scan on push) or manually. Manual scans are limited to once every 24 hours for each image.
For Enhanced scanning, continuous scans can be used for repositories. Continuous scanning automatically scans whenever an image is pushed and whenever the Amazon Inspector vulnerability database is updated. This means that vulnerabilities can be detected at about the same time as vulnerability information is updated.
For Enhanced scanning, you can define whether you want to enable continuous scanning or only scan on push in the repository name scan filter. Manual scan execution is not possible with Enhanced scanning.
Basic scanning is free of charge, but Enhanced scanning is a paid feature, with the following monthly fees for the Tokyo region as of 12/2021
- Per first container image scanned during a push to ECR: $0.11
- Number of Continuous scans for a container image: $0.01 per scan
Pricing page: aws.amazon.com/inspector/pricing
Integration with Amazon EventBridge
When Basic scanning is complete, an event is sent to EventBridge, and you can get a summary of the scan results.
Amazon ECR events and EventBridge
Enhanced scanning is enabled, the following events are sent to EventBridge.
- Event for a repository scan frequency change
- Event for an initial image scan (equivalent to a Basic scanning)
- Event for an image scan finding update (created, updated, closed)
Enhanced scanning differs from Basic scanning in that an event is issued each time a vulnerability is found. For more details, please refer to the following document.
Integration with AWS Security Hub
In environments where AWS Security Hub is enabled, integration with Amazon Inspector is also automatically enabled. Vulnerabilities discovered by Enhanced scanning are automatically sent to AWS Security Hub and can be included in existing security operations workflows.
Integration with AWS Security Hub
AWS Organizations support
New Amazon Inspector also supports integration with AWS Organizations. Delegated administrator accounts can enable EC2 scans and ECR scans (Enhanced scanning) for all member accounts in an organization to manage vulnerabilities. It also supports the automatic activation of new accounts added to the organization.
Enabling scans for member accounts
Points to note when using Enhanced scanning
Manually scanning cannot be performed
Manually scanning cannot be performed in an environment with Enhanced scanning enabled.
Per-repository scan settings deprecated
Setting up a repository-level image scan has been deprecated. The use of scan filters is recommended even when using Basic scanning. The scan filter settings will take precedence if the repository-level and the registry scan filters are set. Continuous Scan setting for Enhanced Scanning can only be specified in the scan filter.
Continuous scanning is available up to 30 days after the image is pushed.
When a continuous scan is configured, the image will be scanned for 30 days after being pushed to the repository. If the image has not been updated in the last 30 days, the continuous scan for that image will be paused.
Basic scanning cannot be used together
The scan settings are for the entire registry. It is not possible to switch the scan type for each repository. Also, if you enable Enhanced scanning, you will not see the results of previous Basic scanning in the console.
The results are not lost, and you can refer to them again by changing the scan type back to Basic scanning.
Try Enhanced scanning
From the Private registry in the Amazon ECR console, click Edit for Scanning.
Select Enhanced scanning as the scan type. Note that this is a setting for the registry, so it cannot be used in conjunction with the basic scan. For both continuous scan and scan on push, you can use scan filters to narrow down the repositories to be scanned. In this example, we set the filter to target repository names starting with test/, but you can also target all repositories.
Click Confirm when you see a message about additional charges for Enhanced scanning.
Make sure that the scan settings have changed from Basic to Enhanced version.
If you check the Account management page of the new Inspector console, you will see that ECR container scanning is Enabled.
You can also check the coverage of repositories that have Enhanced scanning enabled in the Inspector dashboard. Four repositories in this environment had "scan on push" enabled in Basic scanning, so it has been carried over. Since the per-repository image scan setting has been deprecated, it is preferable to disable and use scan filters to manage the coverage.
Let's push the image. Since Enhanced scanning can detect language-specific vulnerabilities, I used a container image of a Java application. Enter the repository name to match the scan filter you have just set.
You will see that the scan frequency for the created repository is set to Continuous.
I pushed an image containing an old Java application for testing to detect the vulnerability.
$ aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
$ docker tag test/java-sample-app:v1.1.0 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app:v1.1.0
$ docker push 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app:v1.1.0
The push refers to repository [123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app]
v1.1.0: digest: sha256:69a58fe6b25d21015da0f170ffa6934f2ec2827562238ecbde902ldkgi2d082b size: 1165
If you check the Inspector console, you will see that it detects quite many vulnerabilities.
Let's look at one of the critical vulnerabilities from All Findings. We are detecting a vulnerability in Jackson, a library for processing JSON in Java. Basic scanning does not detect vulnerabilities in programming language packages such as this.
The results were also linked to Security Hub.
Enhanced scanning be performed on an existing image?
When I enabled Enhanced Scanning, I noticed that the initial scan is also performed on some images stored in the existing repository. As far as I can tell, the initial scan will be performed on the stored images if the following conditions are met.
- The repository is the target of a continuous scan
- The image has been pushed within 30 days
Scanning Amazon ECR container images with Amazon Inspector