Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Amazon ECR Enhanced scanning

0

I have enabled Enhanced scanning in the private registry by clicking on Scanning - New Step 1: Edit Selected Enhanced scanning by selecting the check box of Continuously scan all repositories. Step 2: Amazon Inspector of V2 has been enabled, and also a cloud watch event rule have been created automatically. Step 3: Created a new repo and then pushed an image. Step 4: Then I am able to see the Amazon repository in Amazon inspector. Step 5: I am not able to find the findings generated by inspector after the scan. It is always showing Scan status: ACTIVE but no finding getting generated.

I am able to see Amazon inspector sending events to Amazon event bridge for which the rule has been created when we enabled the enhanced scanning. I saw it is in Cloud Trail.

Few things to consider, when set the scanning control to Basic and If I perform the scan manually then I am able to find the findings with respect to the image pushed. (This is not linked to Amazon inspector)

Themen
Sicherheit, Identität & KonformitätBehälterManagement & Unternehmensführung
Tags
Sicherheit, Identität & KonformitätAmazon Elastischer Container-Registry (ECR)Amazon InspektorAWS Kontoverwaltung
Sprache
English
AWS-User-7183347
gefragt vor 2 Jahren2052 Aufrufe
2 Antworten
1

Hi,

Amazon Inspector uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Inspector. Service-linked roles are predefined by Amazon Inspector and include all the permissions that the service requires to call other AWS services on your behalf.

Amazon Inspector uses the service-linked role named AWSServiceRoleForAmazonInspector2 refer- https://docs.aws.amazon.com/inspector/latest/user/using-service-linked-roles.html

profile picture
learn2skills
beantwortet vor 2 Jahren
  • AWS-User-7183347
    vor 2 Jahren

    But this is not something, I am looking at. As you have conveyed service-linked role named AWSServiceRoleForAmazonInspector2 gets created when I enable enhanced scanning in Amazon ECR.

    The scan is not getting completed, instead of that, it shows Scan status is active, but also no findings getting generated. Whereas when I stop enhanced scan do a manual scan, the findings are generated as expected in Amazon ECR.

0

I had a similar problem with Inspector v2 not scanning ECR repos after it was first set up shortly after re:Invent. I opened a support case on it and they found that a race condition could occur back then that is fixed now. There was a workaround to get it going for my account. The workaround was to got to ECR and disable continuous scanning, save it, wait a minute, then re-enable continuous scanning and save that. Shortly after that ECR repos were producing findings. You might want to give that a shot.

klarson
beantwortet vor 2 Jahren
  • fpg
    vor 2 Jahren

    we still have this issue and the workaround here helped. many thanks :)

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt