Skip to main content

Integrate Amazon Elastic Container Registry

Container Registry Support

Amazon Elastic Container Registry (ECR) integrations support:

  • Auto polling - polling occurs every 15 minutes.
  • On-demand scans via the API.
note

Amazon ECR's integration maximum is 1000 repositories due to set limitations with the Docker V2 APIs.

Lacework scans the latest 5 tags per image in an ECR repository.

  1. Log in to the Lacework Console with an account with admin permissions.
  2. Navigate to Settings > Integrations > Container registries.
  3. Click + Add New.
  4. Click Amazon Container Registry (ECR) and select AWS IAM Role.
  5. Click Next.
  6. Follow the steps in the next section.

To use this authentication type, do the following:

  • Create a cross-account role that has 434813966438:role/lacework-platform as a trusted entity and an external ID.
  • Attach the cross-account role to the AmazonEC2ContainerRegistryReadOnly managed policy for the Amazon Elastic Container Registry. For more information, see AmazonEC2ContainerRegistryReadOnly.
info

AWS IAM role-based integrations are supported for AWS standard accounts only; IAM role-based integrations are not supported for AWS GovCloud accounts. As stated in AWS Identity and Access Management documentation: You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.

  1. Configure the registry and complete any optional settings.

  2. For External ID, paste the external ID that you created when creating the cross-account role. If the external ID does not comply with the format requirements, click the Refresh icon to generate a new one. Then follow the steps to update the external ID in the AWS console before returning here to finish the integration.

  3. Click Save. The integration status displays Integration Successful only after its first assessment completes.

  4. Verify that assessments have started by viewing the table in Vulnerabilities > Containers.

    After an image is assessed, Lacework reports its results in the table. Select Last 24 hours above the table to view the assessment results.

Configure Registry

Setting NameDescription
NameSpecify a unique name for the container registry in the Lacework Console.
External IDPaste the external ID that you created when creating the cross-account role. If the external ID does not comply with the format requirements, click the Refresh icon to generate a new one. Then follow the steps to update the external ID in the AWS console before returning here to finish the integration.
Role ARNSpecify the ARN of the cross-account role that Lacework uses to access your AWS resources.
Registry DomainSpecify the URL of your Amazon Elastic Container Registry (ECR) in the following format: YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com, where YourAWSAccount is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and YourRegion is your AWS region such as us-west-2. Note: Do not prefix the URL with https://.

Optional Settings

Setting NameDescription
Limit Image TagsIf you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND.

Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz).
Limit Image LabelsIf you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND.
Limit RepositoriesIf you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.

Note: Do not include the registry in the repository name(s).
Images per RepoSet the maximum number of newest container images to discover/scan per repository. See Platform Scanner - Default Scanning Quotas for the maximum setting.
Non-OS Package SupportThis feature is enabled by default. Select No if you want to disable scanning of language libraries.

Integrate Using Key ID Access Key-Based Authentication

To use this authentication type, the AWS IAM user you specify must have a role with permissions to access the Amazon Container Registry and be attached to the AmazonEC2ContainerRegistryReadOnly managed policy. For more information, see AmazonEC2ContainerRegistryReadOnly. The AmazonEC2ContainerRegistryReadOnly managed policy applies to all regions. If you want to narrow the policy to a single region, create a custom policy and scope it to your region. For more information, see Control access to AWS regions using IAM policies. The specified AWS IAM user does not need an AWS Console login to be enabled.

info

AWS key ID access key-based integrations are supported for AWS standard and AWS GovCloud accounts.

  1. Click Amazon Container Registry (ECR) and select AWS Key ID Access Key.
  2. Click Next.
  3. Configure the registry and complete any optional settings.
  4. Click Save. The integration status displays Integration Successful only after its first assessment completes.
  5. Verify that assessments have started by viewing the table in Vulnerabilities > Containers.

After an image is assessed, Lacework reports its results in the table. Select Last 24 hours above the table to view the assessment results.

Configure Registry

Setting NameDescription
NameSpecify a unique name for the container registry in the Lacework Console.
Access Key IDSpecify an AWS access key ID for an AWS IAM user.
Secret Access KeySpecify the AWS secret key for the specified AWS access key.
Registry DomainSpecify the URL of your Amazon Elastic Container Registry (ECR) in the following format: YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com, where YourAWSAccount is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and YourRegion is your AWS region such as us-west-2. Note: Do not prefix the URL with https://.

Optional Settings

Setting NameDescription
Limit Image TagsIf you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND.

Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz).
Limit Image LabelsIf you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND.
Limit RepositoriesIf you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.

Note: Do not include the registry in the repository name(s).
Images per RepoSet the maximum number of newest container images to discover/scan per repository. See Platform Scanner - Default Scanning Quotas for the maximum setting.
Non-OS Package SupportThis feature is enabled by default. Select No if you want to disable scanning of language libraries.

Assessing Retagged ECR images

Assessing a retagged ECR image is not supported because ECR does not consider it a new image and therefore does not create a new entry.

To assess a retagged image, use on-demand assessment through the Lacework API:

POST /api/v2/Vulnerabilities/Containers/scan

For more information, see Vulnerabilities in the Lacework API (v2) documentation.

You can still find a retagged image using imageId in the Lacework Dashboard because the image ID does not change for a retagged image.

Create an IAM Role and ECR Integration Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Lacework Terraform Provider that enables integrating supported container registries with Lacework using automation.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

The example below creates a new IAM Role with the AmazonEC2ContainerRegistryReadOnly managed policy for the Amazon Elastic Container Registry (ECR) of the account configured inside the Terraform AWS provider and integrates it with your Lacework account.

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
    }
  }
}

provider "lacework" {}

provider "aws" {
  region = "us-west-2"
}

module "lacework_ecr" {
  source  = "lacework/ecr/aws"
  version = "~> 0.1"
}

Validate the Integration

After Terraform finishes applying changes, you can use the Lacework CLI to validate the integration is working.

Open a Terminal and trigger an on-demand container vulnerability scan of one of your repositories that lives in the ECR registry you just integrated:

lacework vuln ctr scan YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com YourRepository YourTagOrImageDigest --poll
note

To list all container registries configured in your account run lacework vuln ctr registries

You should see the vulnerability assessment of your repository.

lacework vulnerability container scan 123456789012.dkr.ecr.us-west-2.amazonaws.com lw-test latest --poll
A new vulnerability scan has been requested. (request_id: da123491-89f3-123d-a93b-d3a1980ee80a)

                                  CONTAINER IMAGE DETAILS                                          VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
    ID          sha256:48706bcd2b97520266df3cb0b3f42c3aaccf8b7819c1356c02b0609c4ec2dd98       SEVERITY   COUNT   FIXABLE
    Digest      sha256:7b4c7ae1c8c91759449f7c0c62c4b90330443ed08f5ed761d4a2bf4331504bae     -----------+-------+----------
    Registry    123456789012.dkr.ecr.us-west-2.amazonaws.com                                  Critical       2         1
    Repository  lw-test                                                                       High          32         8
    Size        144.8 MB                                                                      Medium       127        33
    Created At  2021-03-03T23:28:46.220Z                                                      Low          140         6
    Tags        latest                                                                        Info         377         5

Try adding '--details' to increase the details shown about the vulnerability assessment.
Last updated on