Bernard Pietraga

AWS ECR scanning with alerts for free

Free AWS ECR Scanning

AWS offers free ECR (Amazon Elastic Container Registry ) container scans once a day (anything over this and you will get billed). Here is quick way how to get free AWS ECR scanning working.

In the past I have created code to trigger scans with Lambda (Python boto3 code). But some time ago I have found an open-source repository that excatly it in Go Lang https://github.com/nagypeterjob/ecr-scan-lambda. You can wrap it and manage it with the following Terraform module from Cloudposse https://github.com/cloudposse/terraform-aws-lambda-function

I have spoken with AWS people and the underlying scan information come from internal tools and couple Open Source tools like https://github.com/quay/clair. Results are compiled into one set of findings.

Why container scanning is important?

Container scanning is important for quantifying the security of applications’ libraries inside containers. Scanning the contents of a container will enable you to identify any potential threats or weaknesses and find solutions to address these issues. This gives you time to repair any issues they find before it is too late. Containers are often used to run very critical applications, and any vulnerabilities could have dire consequences. Additionally, because containers are often used in distributed environments, such as cloud-based systems, it is essential to ensure that they are secure to prevent unauthorized access or other security breaches.

Another layer of security worth implementing is image signing to prevent running malicious containers impersonating the legitimate distributions with lack or/ of different PGP keys.

Go with distroless images after ECR scans

In case you will find issues with your image consider using Distrolles if your application design supports it. You can still copy and libraries if you need them, but make sure to update to patched version.

https://github.com/GoogleContainerTools/distroless

Distroless images are smaller than full distribution images because they contain only the relevant parts required to run the program. This makes them smaller and more lightweight than full distribution images, which could contain an array of unnecessary parts and libraries. Relative to larger images, more compact distroless images are also faster and simpler to download and deploy, which helps to save processing time and money. Moreover, because image does not comprise unwanted components, distroless images are more secure than full distribution images because they have fewer targets that hackers could exploit. This reduces the risk of security breaches and protects your applications and based on my experience should produce less vulnerability finding when including libraries manually.