Amazon ECR Enhanced scanning


I have enabled Enhanced scanning in the private registry by clicking on Scanning - New Step 1: Edit Selected Enhanced scanning by selecting the check box of Continuously scan all repositories. Step 2: Amazon Inspector of V2 has been enabled, and also a cloud watch event rule have been created automatically. Step 3: Created a new repo and then pushed an image. Step 4: Then I am able to see the Amazon repository in Amazon inspector. Step 5: I am not able to find the findings generated by inspector after the scan. It is always showing Scan status: ACTIVE but no finding getting generated.

I am able to see Amazon inspector sending events to Amazon event bridge for which the rule has been created when we enabled the enhanced scanning. I saw it is in Cloud Trail.

Few things to consider, when set the scanning control to Basic and If I perform the scan manually then I am able to find the findings with respect to the image pushed. (This is not linked to Amazon inspector)

2 Answers


Amazon Inspector uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Inspector. Service-linked roles are predefined by Amazon Inspector and include all the permissions that the service requires to call other AWS services on your behalf.

Amazon Inspector uses the service-linked role named AWSServiceRoleForAmazonInspector2 refer-

profile picture
answered 2 years ago
  • But this is not something, I am looking at. As you have conveyed service-linked role named AWSServiceRoleForAmazonInspector2 gets created when I enable enhanced scanning in Amazon ECR.

    The scan is not getting completed, instead of that, it shows Scan status is active, but also no findings getting generated. Whereas when I stop enhanced scan do a manual scan, the findings are generated as expected in Amazon ECR.


I had a similar problem with Inspector v2 not scanning ECR repos after it was first set up shortly after re:Invent. I opened a support case on it and they found that a race condition could occur back then that is fixed now. There was a workaround to get it going for my account. The workaround was to got to ECR and disable continuous scanning, save it, wait a minute, then re-enable continuous scanning and save that. Shortly after that ECR repos were producing findings. You might want to give that a shot.

answered 2 years ago
  • we still have this issue and the workaround here helped. many thanks :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions