Differences between Amazon ECR and Inspector image scanning capabilities

·

6 min read

Introduction

At AWS re:Invent 2021, the vulnerability management service Amazon Inspector was redesigned and released as the all-new Amazon Inspector (v2). The new Inspector not only scans EC2 but also scans container images stored in Amazon ECR.

Improved, Automated Vulnerability Management for Cloud Workloads with a New Amazon Inspector aws.amazon.com/jp/blogs/aws/improved-automa..

Differences

With the introduction of image scanning by Inspector, the ECR scanning function is now called Basic scanning, while the Inspector scanning function is called Enhanced scanning. The main differences between Basic scanning and Enhanced scanning are as follows.

Basic scanningEnhanced scanning
Vulnerability Detection TargetOS packages onlyOS and programming language packages
Vulnerability Detection TimingWhen the image is pushedWhen vulnerabilities occur
PricingFreeNot free
Amazon EventBrdige IntegrationYes (Scan result summary only)yes
AWS Security Hub IntegrationNoYes
AWS Organizations IntegrationNoYes

Vulnerability Detection Target

Basic scanning provides a scan using the CVE database of the open-source Clair project. Only OS packages are targeted for vulnerability detection.

Enhanced scanning is capable of detecting vulnerabilities in programming language packages in addition to OS packages. Supported programming languages are as follows.

  • C#
  • Golang
  • Java
  • JavaScript
  • PHP
  • Python
  • Ruby
  • Rust

Supported operating systems and programming languages docs.aws.amazon.com/inspector/latest/user/s..

Vulnerability Detection Timing

Basic scanning can be triggered when an image is pushed (Scan on push) or manually. Manual scans are limited to once every 24 hours for each image.

For Enhanced scanning, continuous scans can be used for repositories. Continuous scanning automatically scans whenever an image is pushed and whenever the Amazon Inspector vulnerability database is updated. This means that vulnerabilities can be detected at about the same time as vulnerability information is updated.

For Enhanced scanning, you can define whether you want to enable continuous scanning or only scan on push in the repository name scan filter. Manual scan execution is not possible with Enhanced scanning.

image.png

Pricing

Basic scanning is free of charge, but Enhanced scanning is a paid feature, with the following monthly fees for the Tokyo region as of 12/2021

  • Per first container image scanned during a push to ECR: $0.11
  • Number of Continuous scans for a container image: $0.01 per scan

Pricing page: aws.amazon.com/inspector/pricing

Integration with Amazon EventBridge

When Basic scanning is complete, an event is sent to EventBridge, and you can get a summary of the scan results.

Amazon ECR events and EventBridge
docs.aws.amazon.com/AmazonECR/latest/usergu..

Enhanced scanning is enabled, the following events are sent to EventBridge.

  • Event for a repository scan frequency change
  • Event for an initial image scan (equivalent to a Basic scanning)
  • Event for an image scan finding update (created, updated, closed)

Enhanced scanning differs from Basic scanning in that an event is issued each time a vulnerability is found. For more details, please refer to the following document.

Enhanced scanning
docs.aws.amazon.com/AmazonECR/latest/usergu..

Integration with AWS Security Hub

In environments where AWS Security Hub is enabled, integration with Amazon Inspector is also automatically enabled. Vulnerabilities discovered by Enhanced scanning are automatically sent to AWS Security Hub and can be included in existing security operations workflows.

Integration with AWS Security Hub
docs.aws.amazon.com/inspector/latest/user/s..

AWS Organizations support

New Amazon Inspector also supports integration with AWS Organizations. Delegated administrator accounts can enable EC2 scans and ECR scans (Enhanced scanning) for all member accounts in an organization to manage vulnerabilities. It also supports the automatic activation of new accounts added to the organization.

Enabling scans for member accounts
docs.aws.amazon.com/inspector/latest/user/a..

Points to note when using Enhanced scanning

Manually scanning cannot be performed

Manually scanning cannot be performed in an environment with Enhanced scanning enabled.

Per-repository scan settings deprecated

Setting up a repository-level image scan has been deprecated. The use of scan filters is recommended even when using Basic scanning. The scan filter settings will take precedence if the repository-level and the registry scan filters are set. Continuous Scan setting for Enhanced Scanning can only be specified in the scan filter.

image.png

Continuous scanning is available up to 30 days after the image is pushed.

When a continuous scan is configured, the image will be scanned for 30 days after being pushed to the repository. If the image has not been updated in the last 30 days, the continuous scan for that image will be paused.

Basic scanning cannot be used together

The scan settings are for the entire registry. It is not possible to switch the scan type for each repository. Also, if you enable Enhanced scanning, you will not see the results of previous Basic scanning in the console.

image.png

The results are not lost, and you can refer to them again by changing the scan type back to Basic scanning.

Try Enhanced scanning

Settings

From the Private registry in the Amazon ECR console, click Edit for Scanning.

image.png

Select Enhanced scanning as the scan type. Note that this is a setting for the registry, so it cannot be used in conjunction with the basic scan. For both continuous scan and scan on push, you can use scan filters to narrow down the repositories to be scanned. In this example, we set the filter to target repository names starting with test/, but you can also target all repositories.

image.png

Click Confirm when you see a message about additional charges for Enhanced scanning.

image.png

Make sure that the scan settings have changed from Basic to Enhanced version.

image.png

If you check the Account management page of the new Inspector console, you will see that ECR container scanning is Enabled.

image.png

You can also check the coverage of repositories that have Enhanced scanning enabled in the Inspector dashboard. Four repositories in this environment had "scan on push" enabled in Basic scanning, so it has been carried over. Since the per-repository image scan setting has been deprecated, it is preferable to disable and use scan filters to manage the coverage.

image.png

Operation check

Let's push the image. Since Enhanced scanning can detect language-specific vulnerabilities, I used a container image of a Java application. Enter the repository name to match the scan filter you have just set.

image.png

You will see that the scan frequency for the created repository is set to Continuous.

image.png

I pushed an image containing an old Java application for testing to detect the vulnerability.

$ aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
Login Succeeded

$ docker tag test/java-sample-app:v1.1.0 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app:v1.1.0
$ docker push 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app:v1.1.0
The push refers to repository [123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test/java-sample-app]
c5baabd61e59: Pushed 
88e64033fc7f: Pushed 
0466be121ce3: Pushed 
b87942114db6: Pushed 
v1.1.0: digest: sha256:69a58fe6b25d21015da0f170ffa6934f2ec2827562238ecbde902ldkgi2d082b size: 1165

If you check the Inspector console, you will see that it detects quite many vulnerabilities.

image.png

Let's look at one of the critical vulnerabilities from All Findings. We are detecting a vulnerability in Jackson, a library for processing JSON in Java. Basic scanning does not detect vulnerabilities in programming language packages such as this.

image.png

The results were also linked to Security Hub.

image.png

Enhanced scanning be performed on an existing image?

When I enabled Enhanced Scanning, I noticed that the initial scan is also performed on some images stored in the existing repository. As far as I can tell, the initial scan will be performed on the stored images if the following conditions are met.

  • The repository is the target of a continuous scan
  • The image has been pushed within 30 days

Official Documents

Image scanning
docs.aws.amazon.com/AmazonECR/latest/usergu..

Scanning Amazon ECR container images with Amazon Inspector
docs.aws.amazon.com/inspector/latest/user/e..