By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ECR Enhanced Scanning + EventBridge

0

Hello!,

I'm trying to implement a lambda function that is triggered after the scan of an image pushed into the ECR is completed. Lambda is supposed to send a scan summary to Slack in the form:

ECR repo url: $REPO_URL Critical 1 High 1 Medium 4

I set the EventBridge rule:

{
   "detail-type": ["ECR Image Scan"],
   "source": ["aws.ecr"]
}

and everything works fine when I have "Basic scanning" turned on. When I switch to "Enhanced scanning" (Scan on push all repositories, WITHOUT 'Continuously scan all repositories') the lambda is not triggered.

Could someone tell me what event to set so that lambda is called after enhanced scanning is completed?

If I execute: aws ecr describe-image-scan-findings, I see a summary and information about the completion of the scan as follows:

{
     "imageScanFindings": {
         "enhancedFindings": [
...
         "findingSeverityCounts": {
             "HIGH": 41,
             "MEDIUM": 50,
             "LOW": 2,
             "UNTRIAGED": 1,
             "CRITICAL": 6
         }


     "imageScanStatus": {
         "status": "COMPLETE",
         "description": "The scan was completed successfully."
     }
...

The strange thing is that if I click on "See findings" in the AWS panel, I see much more vulnerabilities than in "aws ecr describe-image-scan-findings

aws ecr describe-image-scan-findings: 41 HIGH, 50 MEDIUM, 2 LOW, UTRIAGED 1, CRITICAL1

AWS web panel: 83 HIGH, 93 MEDIUM, 5 LOW, 7 CRITICAL

of course, I check exactly the same image in both cases. Does anyone have an idea what these differences might be?

Topics
ServerlessApplication IntegrationContainers
Tags
Amazon EventBridgeAmazon Elastic Container Registry (ECR)
Language
English
AndrzejDev
asked 4 months ago340 views
2 Answers
0

It seems according to the documentation that the event is sent by Inspector2 and not ECR with enhanced scanning

Event for an image scan finding update (enhanced scanning)

When enhanced scanning is turned on for your registry, the following event is sent by Amazon Inspector when the image scan finding is created, updated, or closed. For more information, see Enhanced scanning.

Event pattern:

{
  "source": ["aws.inspector2"],
  "detail-type": ["Inspector2 Finding"]
}

Finding Example:

{
    "version": "0",
    "id": "42dbea55-45ad-b2b4-87a8-afaEXAMPLE",
    "detail-type": "Inspector2 Finding",
    "source": "aws.inspector2",
    "account": "123456789012",
    "time": "2021-12-03T18:02:30Z",
    "region": "us-east-2",
    "resources": [
        "arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample/sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77eEXAMPLE"
    ],
    "detail": {
        "awsAccountId": "123456789012",
        "description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.",
        "findingArn": "arn:aws:inspector2:us-east-2:123456789012:finding/be674aaddd0f75ac632055EXAMPLE",
        "firstObservedAt": "Dec 3, 2021, 6:02:30 PM",
        "inspectorScore": 6.5,
        "inspectorScoreDetails": {
            "adjustedCvss": {
                "adjustments": [],
                "cvssSource": "REDHAT_CVE",
                "score": 6.5,
                "scoreSource": "REDHAT_CVE",
                "scoringVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
            }
        },
        "lastObservedAt": "Dec 3, 2021, 6:02:30 PM",
        "packageVulnerabilityDetails": {
            "cvss": [
                {
                    "baseScore": 6.5,
                    "scoringVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                    "source": "REDHAT_CVE",
                    "version": "3.0"
                },
                {
                    "baseScore": 5.8,
                    "scoringVector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
                    "source": "NVD",
                    "version": "2.0"
                },
                {
                    "baseScore": 8.1,
                    "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
                    "source": "NVD",
                    "version": "3.1"
                }
            ],
            "referenceUrls": [
                "https://access.redhat.com/errata/RHSA-2020:3915"
            ],
            "source": "REDHAT_CVE",
            "sourceUrl": "https://access.redhat.com/security/cve/CVE-2019-17498",
            "vendorCreatedAt": "Oct 16, 2019, 12:00:00 AM",
            "vendorSeverity": "Moderate",
            "vulnerabilityId": "CVE-2019-17498",
            "vulnerablePackages": [
                {
                    "arch": "X86_64",
                    "epoch": 0,
                    "name": "libssh2",
                    "packageManager": "OS",
                    "release": "12.amzn2.2",
                    "sourceLayerHash": "sha256:72d97abdfae3b3c933ff41e39779cc72853d7bd9dc1e4800c5294dEXAMPLE",
                    "version": "1.4.3"
                }
            ]
        },
        "remediation": {
            "recommendation": {
                "text": "Update all packages in the vulnerable packages section to their latest versions."
            }
        },
        "resources": [
            {
                "details": {
                    "awsEcrContainerImage": {
                        "architecture": "amd64",
                        "imageHash": "sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77e5EXAMPLE",
                        "imageTags": [
                            "latest"
                        ],
                        "platform": "AMAZON_LINUX_2",
                        "pushedAt": "Dec 3, 2021, 6:02:13 PM",
                        "registry": "123456789012",
                        "repositoryName": "amazon/amazon-ecs-sample"
                    }
                },
                "id": "arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample/sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77EXAMPLE",
                "partition": "N/A",
                "region": "N/A",
                "type": "AWS_ECR_CONTAINER_IMAGE"
            }
        ],
        "severity": "MEDIUM",
        "status": "ACTIVE",
        "title": "CVE-2019-17498 - libssh2",
        "type": "PACKAGE_VULNERABILITY",
        "updatedAt": "Dec 3, 2021, 6:02:30 PM"
    }
}

https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html

profile picture
EXPERT
Gary Mclean
answered 4 months ago
0

Hi,

Did you notice

When enhanced scanning is turned on, Amazon ECR sends an event to EventBridge when 
the scan frequency for a repository is changed. Amazon Inspector emits events to EventBridge 
when an initial scan is completed and when an image scan finding is created, updated, or closed.

in https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html

If you look at this post detailling EventBridge integration https://devpress.csdn.net/cloudnative/62f3778f7e66823466186b5b.html, events are raised when a (new) vulnerability is found not when a scan (with already known vulnerabilities) is done.

I guess that this has to be confirmed by some tests: v1 of image (no vuln -> no event), v2 with vuln -> event, v3 with no vuln -> no event, v4 with vuln -> event.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content