Integrate Amazon Elastic Container Registry
Container Registry Support
Amazon Elastic Container Registry (ECR) integrations support:
- Auto polling - polling occurs every 15 minutes.
- On-demand scans via the API.
note
Amazon ECR's integration maximum is 1000 repositories due to set limitations with the Docker V2 APIs.
Lacework scans the latest 5 tags per image in an ECR repository.
Navigate to ECR Integration
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container registries.
- Click + Add New.
- Click Amazon Container Registry (ECR) and select AWS Key ID Access Key.
- Click Next.
- Follow the steps in the next section.
Integrate Using IAM Role-Based Authentication (Recommended)
To use this authentication type, you must create a cross-account role that has the Lacework account (434813966438) defined as a trusted entity. The role must be attached to the AmazonEC2ContainerRegistryReadOnly
managed policy for the Amazon Elastic Container Registry. For more information, see AmazonEC2ContainerRegistryReadOnly.
important
AWS IAM role-based integrations are supported for AWS standard accounts only; IAM role-based integrations are not supported for AWS GovCloud accounts. As stated in AWS Identity and Access Management documentation: You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.
Click Amazon Container Registry (ECR) and select AWS IAM Role.
Click Next.
Configure the registry and complete any optional settings.
Click Save. The integration status displays Integration Successful only after its first assessment completes.
Verify that assessments have started by viewing the table in Vulnerabilities > Containers.
After an image is assessed, Lacework reports its results in the table. Select Last 24 hours above the table to view the assessment results.
Configure Registry
Setting Name | Description |
---|---|
Name | Specify a unique name for the container registry in the Lacework Console. |
External ID | Specify the AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resources. |
Role ARN | Specify the ARN of the cross-account role that Lacework uses to access your AWS resources. |
Registry Domain | Specify the URL of your Amazon Elastic Container Registry (ECR) in the following format: YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com, where YourAWSAccount is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and YourRegion is your AWS region such as us-west-2. Note: Do not prefix the URL with https:// . |
Optional Settings
Setting Name | Description |
---|---|
Limit Image Tags | If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz ). |
Limit Image Labels | If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value . If you specify tag and label limits, they function as an AND. |
Limit Repositories | If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. Note: Do not include the registry in the repository name(s). |
Images per Repo | Select the maximum number of newest container images to discover/assess per repository. |
Non-OS Package Support | This feature is enabled by default. Select No if you want to disable scanning of language libraries. |
Integrate Using Key ID Access Key-Based Authentication
To use this authentication type, the AWS IAM user you specify must have a role with permissions to access the Amazon Container Registry and be attached to the AmazonEC2ContainerRegistryReadOnly
managed policy. For more information, see AmazonEC2ContainerRegistryReadOnly. The AmazonEC2ContainerRegistryReadOnly
managed policy applies to all regions. If you want to narrow the policy to a single region, create a custom policy and scope it to your region. For more information, see Control access to AWS regions using IAM policies. The specified AWS IAM user does not need an AWS Console login to be enabled.
important
AWS key ID access key-based integrations are supported for AWS standard and AWS GovCloud accounts.
- Configure the registry and complete any optional settings.
- Click Save. The integration status displays Integration Successful only after its first assessment completes.
- Verify that assessments have started by viewing the table in Vulnerabilities > Containers.
After an image is assessed, Lacework reports its results in the table. Select Last 24 hours above the table to view the assessment results.
Configure Registry
Setting Name | Description |
---|---|
Name | Specify a unique name for the container registry in the Lacework Console. |
Access Key ID | Specify an AWS access key ID for an AWS IAM user. |
Secret Access Key | Specify the AWS secret key for the specified AWS access key. |
Registry Domain | Specify the URL of your Amazon Elastic Container Registry (ECR) in the following format: YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com, where YourAWSAccount is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and YourRegion is your AWS region such as us-west-2. Note: Do not prefix the URL with https:// . |
Optional Settings
Setting Name | Description |
---|---|
Limit Image Tags | If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz ). |
Limit Image Labels | If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value . If you specify tag and label limits, they function as an AND. |
Limit Repositories | If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. Note: Do not include the registry in the repository name(s). |
Images per Repo | Select the maximum number of newest container images to discover/assess per repository. |
Non-OS Package Support | This feature is enabled by default. Select No if you want to disable scanning of language libraries. |
Assessing Retagged ECR images
Assessing a retagged ECR image is not supported because ECR does not consider it a new image and therefore does not create a new entry.
To assess a retagged image, use on-demand assessment through the Lacework API:
POST /api/v2/Vulnerabilities/Containers/scan
For more information, see Vulnerabilities in the Lacework API (v2) documentation.
You can still find a retagged image using imageId in the Lacework Dashboard because the image ID does not change for a retagged image.
Create an IAM Role and ECR Integration Using Terraform
For organizations using Terraform to manage their environments, Lacework maintains the Lacework Terraform Provider that enables integrating supported container registries with Lacework using automation.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
The example below creates a new IAM Role with the AmazonEC2ContainerRegistryReadOnly managed policy for the Amazon Elastic Container Registry (ECR) of the account configured inside the Terraform AWS provider and integrates it with your Lacework account.
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "lacework" {}
provider "aws" {
region = "us-west-2"
}
module "lacework_ecr" {
source = "lacework/ecr/aws"
version = "~> 0.1"
}
Validate the Integration
After Terraform finishes applying changes, you can use the Lacework CLI to validate the integration is working.
Open a Terminal and trigger an on-demand container vulnerability scan of one of your repositories that lives in the ECR registry you just integrated:
lacework vuln ctr scan YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com YourRepository YourTagOrImageDigest --poll
note
To list all container registries configured in your account run lacework vuln ctr registries
You should see the vulnerability assessment of your repository.
lacework vulnerability container scan 123456789012.dkr.ecr.us-west-2.amazonaws.com lw-test latest --poll
A new vulnerability scan has been requested. (request_id: da123491-89f3-123d-a93b-d3a1980ee80a)
CONTAINER IMAGE DETAILS VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
ID sha256:48706bcd2b97520266df3cb0b3f42c3aaccf8b7819c1356c02b0609c4ec2dd98 SEVERITY COUNT FIXABLE
Digest sha256:7b4c7ae1c8c91759449f7c0c62c4b90330443ed08f5ed761d4a2bf4331504bae -----------+-------+----------
Registry 123456789012.dkr.ecr.us-west-2.amazonaws.com Critical 2 1
Repository lw-test High 32 8
Size 144.8 MB Medium 127 33
Created At 2021-03-03T23:28:46.220Z Low 140 6
Tags latest Info 377 5
Try adding '--details' to increase the details shown about the vulnerability assessment.