AWS Inspector is an automated security assessment service designed to help improve the security and compliance of applications deployed on Amazon Web Services. It automatically assesses applications for vulnerabilities or deviations from best practices. After performing assessments, AWS Inspector produces detailed reports highlighting security issues, making it easier for users to address potential risks and enhance their security posture effectively.
Amazon Inspector scans container images stored in Amazon ECR for software vulnerabilities, generating package vulnerability findings. This helps identify and address potential security issues within your containerized applications, ensuring a more secure deployment environment.
When you activate Amazon Inspector scans for Amazon ECR, you designate Amazon Inspector as your preferred scanning service for your private registry. This replaces the default Basic scanning, offered at no charge by Amazon ECR, with Enhanced scanning, which is provided and billed through Amazon Inspector.
Enhanced scanning provided by Amazon Inspector offers comprehensive vulnerability scanning for both operating system and programming language packages at the registry level. You can view detailed findings for each image layer on the Amazon ECR console and integrate these findings with AWS Security Hub and Amazon EventBridge, services not available for basic scanning.
Enhanced scanning offers two modes: continuous scanning and on-push scanning. Continuous scanning includes initial scans upon image push and automated rescans, while on-push scanning occurs only when an image is first pushed. Both modes allow you to refine the scanning scope with inclusion filters.
Automated rescans are triggered for container images based on the selected scanning mode. With continuous scanning, images are automatically rescanned whenever Amazon Inspector updates its database with new Common Vulnerabilities and Exposures (CVE) items.
Step by step process on how to configure
Step 1: Go to AWS inspector, click on Activate inspector in your preferred region.
Step 2: Goto the ECR repository and create a private repository.
Step 3: add a repo name and create the repository.
Step 4: Select the repository name after it got created and then click on actions and select repository filters.
Step 5: Enable the option for enhanced scanning and select continuously can repositories or scan on push as per your choice.
Step 6: Now we create an EC2 instance with Amazon Linux 2 AMI and Install docker on the instance.
$ sudo amazon-linux-extras install docker
$ sudo service docker start
$ sudo usermod -a -G docker ec2-user
$ Make docker auto-start && sudo chkconfig docker on
$ sudo yum install -y git
$ docker pull vulnerabilities/web-dvwa (this will pull a sample image with loads of vulnerabilities)
Step 7: Retag this image with your repository name you created
Step 8: Goback to your ECR repository and view and copy the push command of your repository .
Now tag the image and push it to the private repository
Step 9: Once you see the image pushed in your ECR repository, click on see findings.
You will see a list of vulnerabilities
Also if you check the inspector ECR scanning as well, you’ll see the same.
