is there a way to restrict ECS/Fargate container launch only to run containers from a local ECR repository? is there a way to scan ECR or containers in specified accounts?

To restrict ECS/Fargate container launches to only run containers from a local ECR repository, use SCPs in AWS Organizations to restrict ECS tasks to only use images from specified ECR repositories. This involves creating an SCP that denies the RegisterTaskDefinition action if the image is not from an allowed ECR repository. Here's a simplified example of what an SCP might look like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSpecificECRRepositoriesOnly",
      "Effect": "Deny",
      "Action": "ecs:RegisterTaskDefinition",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "ecs:taskDefinitionImage": [
            "arn:aws:ecr:*:account-id:repository/allowed-repo1*",
            "arn:aws:ecr:*:account-id:repository/allowed-repo2*"
          ]
        }
      }
    }
  ]
}

To enable ECR image scanning in specified accounts within an AWS Organization, you can follow a streamlined approach focusing on those targeted accounts:

• Make a list of the AWS account IDs where ECR image scanning needs to be enabled.
• Write a Lambda function that iterates over your list of specified accounts. For each account, the lambda function should:
  • Assume a role with the necessary permissions to access ECR in that account.
  • List all ECR repositories within the account using the AWS SDK.
  • Check if image scanning is enabled for each repository.
  • Enable image scanning for repositories where it is not already enabled.
• Use AWS CloudWatch Events or AWS EventBridge to trigger your Lambda function on a regular schedule.

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!