By using AWS re:Post, you agree to the AWS re:Post Terms of Use

is there a way to restrict ECS/Fargate container launch only to run containers from a local ECR repository? is there a way to scan ECR or containers in specified accounts?

0

Currently when you run a task, you can specify anything you want in the "Image" property of "AWS::ECS::TaskDefinition" (ECR, Docker Hub, Custom repository). Is there a way to limit tasks to run only from a specified ECR repository on the organization level (e.g. SCP)?

Also, is there a way to scan ECR or containers in specified account to find what image they're based on? We are not looking at the out of the box ECR scanner, we're looking at something where we can incorporate custom validations.

1 Answer
2
Accepted Answer

To restrict ECS/Fargate container launches to only run containers from a local ECR repository, use SCPs in AWS Organizations to restrict ECS tasks to only use images from specified ECR repositories. This involves creating an SCP that denies the RegisterTaskDefinition action if the image is not from an allowed ECR repository. Here's a simplified example of what an SCP might look like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSpecificECRRepositoriesOnly",
      "Effect": "Deny",
      "Action": "ecs:RegisterTaskDefinition",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "ecs:taskDefinitionImage": [
            "arn:aws:ecr:*:account-id:repository/allowed-repo1*",
            "arn:aws:ecr:*:account-id:repository/allowed-repo2*"
          ]
        }
      }
    }
  ]
}

To enable ECR image scanning in specified accounts within an AWS Organization, you can follow a streamlined approach focusing on those targeted accounts:

  • Make a list of the AWS account IDs where ECR image scanning needs to be enabled.
  • Write a Lambda function that iterates over your list of specified accounts. For each account, the lambda function should:
    • Assume a role with the necessary permissions to access ECR in that account.
    • List all ECR repositories within the account using the AWS SDK.
    • Check if image scanning is enabled for each repository.
    • Enable image scanning for repositories where it is not already enabled.
  • Use AWS CloudWatch Events or AWS EventBridge to trigger your Lambda function on a regular schedule.

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
EXPERT
answered 8 months ago
profile picture
EXPERT
reviewed 8 months ago
profile picture
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions