How to monitor ECR Image Scanning
Michael Wittig – 28 Jan 2020
Amazon ECR image scanning helps in identifying software vulnerabilities in your Docker images.
To forward findings to other systems (e.g., Slack), you have to:
- Enable Scan on push for your ECR repository.
- Create a CloudWatch Events Rule to subscribe to the findings.
To enable Scan on push, flip the switch when creating or updating an ECR repository.
- Visit the CloudWatch Console.
- Navigate to Events -> Rules.
- Create a new rule.
- Set Service Name to
Elastic Container Registry (ECR).
Set Event Type to
ECR Image Scan.
Which results in the following Event Pattern:
"ECR Image Scan"
Unfortunately, you can not filter scan results according to the finding severities.
- Last but not least, configure the target (e.g., SNS topic). From the SNS topic, you can then distribute to other systems.
Do you want to receive scan results via Slack? Add marbot to your Slack workspace and deploy our AWS basics Monitoring Jump Start.
This blog post is provided by marbot: Incident Management for AWS