How to monitor ECR Image Scanning

Michael Wittig – 28 Jan 2020

Amazon ECR image scanning helps in identifying software vulnerabilities in your Docker images.

How to monitor ECR Image Scanning

To forward findings to other systems (e.g., Slack), you have to:

  1. Enable Scan on push for your ECR repository.
  2. Create a CloudWatch Events Rule to subscribe to the findings.

Enable Scan on push

To enable Scan on push, flip the switch when creating or updating an ECR repository.

Enable Scan on push

Create a CloudWatch Events Rule

  1. Visit the CloudWatch Console.
  2. Navigate to Events -> Rules.
  3. Create a new rule.
    Create a CloudWatch Events Rule
  4. Set Service Name to Elastic Container Registry (ECR).
  5. Set Event Type to ECR Image Scan.
    Which results in the following Event Pattern:

    "detail-type": [
    "ECR Image Scan"
    "source": [

    Unfortunately, you can not filter scan results according to the finding severities.

  6. Last but not least, configure the target (e.g., SNS topic). From the SNS topic, you can then distribute to other systems.

Do you want to receive scan results via Slack? Add marbot to your Slack workspace and deploy our AWS basics Monitoring Jump Start.

Michael Wittig

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building Author of Amazon Web Services in Action, Rapid Docker on AWS, and

You can contact me via Email, Twitter, and LinkedIn.

Published on

marbot teaser

AWS monitoring & alerting in Slack

marbot takes care of your Amazon Web Services (AWS) monitoring setup. You receive and close all relevant alerts via Slack. marbot integrates with CloudWatch, Elastic Beanstalk, EC2, RDS, any many more.

Slack icon
Add to Slack