How to monitor ECR Image Scanning

Michael Wittig – 28 Jan 2020

Amazon ECR image scanning helps in identifying software vulnerabilities in your Docker images.

How to monitor ECR Image Scanning

To forward findings to other systems (e.g., Slack), you have to:

  1. Enable Scan on push for your ECR repository.
  2. Create a CloudWatch Events Rule to subscribe to the findings.

Enable Scan on push

To enable Scan on push, flip the switch when creating or updating an ECR repository.

Enable Scan on push

Create a CloudWatch Events Rule

  1. Visit the CloudWatch Console.
  2. Navigate to Events -> Rules.
  3. Create a new rule.
    Create a CloudWatch Events Rule
  4. Set Service Name to Elastic Container Registry (ECR).
  5. Set Event Type to ECR Image Scan.
    Which results in the following Event Pattern:

    "detail-type": [
    "ECR Image Scan"
    "source": [

    Unfortunately, you can not filter scan results according to the finding severities.

  6. Last but not least, configure the target (e.g., SNS topic). From the SNS topic, you can then distribute to other systems.

Do you want to receive scan results via Slack? Add marbot to your Slack workspace and deploy our AWS basics Monitoring Jump Start.

Michael Wittig

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building Author of Amazon Web Services in Action, Rapid Docker on AWS, and

You can contact me via Email, Twitter, and LinkedIn.

Published on

marbot teaser

Incident Management for Slack

Team up to solve incidents with marbot. Never miss a critical alert. Escalate alerts from your AWS infrastructure among your team members. Strong integrations with all parts of your AWS infrastructure: CloudWatch, Elastic Beanstalk, RDS, EC2, ...

Slack icon
Add to Slack