使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

ECR Enhanced Scanning + EventBridge

0

Hello!,

I'm trying to implement a lambda function that is triggered after the scan of an image pushed into the ECR is completed. Lambda is supposed to send a scan summary to Slack in the form:

ECR repo url: $REPO_URL Critical 1 High 1 Medium 4

I set the EventBridge rule:

{
   "detail-type": ["ECR Image Scan"],
   "source": ["aws.ecr"]
}

and everything works fine when I have "Basic scanning" turned on. When I switch to "Enhanced scanning" (Scan on push all repositories, WITHOUT 'Continuously scan all repositories') the lambda is not triggered.

Could someone tell me what event to set so that lambda is called after enhanced scanning is completed?

If I execute: aws ecr describe-image-scan-findings, I see a summary and information about the completion of the scan as follows:

{
     "imageScanFindings": {
         "enhancedFindings": [
...
         "findingSeverityCounts": {
             "HIGH": 41,
             "MEDIUM": 50,
             "LOW": 2,
             "UNTRIAGED": 1,
             "CRITICAL": 6
         }


     "imageScanStatus": {
         "status": "COMPLETE",
         "description": "The scan was completed successfully."
     }
...

The strange thing is that if I click on "See findings" in the AWS panel, I see much more vulnerabilities than in "aws ecr describe-image-scan-findings

aws ecr describe-image-scan-findings: 41 HIGH, 50 MEDIUM, 2 LOW, UTRIAGED 1, CRITICAL1

AWS web panel: 83 HIGH, 93 MEDIUM, 5 LOW, 7 CRITICAL

of course, I check exactly the same image in both cases. Does anyone have an idea what these differences might be?

主題
無伺服器應用程式整合容器
標籤
Amazon EventBridgeAmazon Elastic Container Registry(ECR)
語言
English
AndrzejDev
已提問 4 個月前檢視次數 363 次
2 個答案
0

It seems according to the documentation that the event is sent by Inspector2 and not ECR with enhanced scanning

Event for an image scan finding update (enhanced scanning)

When enhanced scanning is turned on for your registry, the following event is sent by Amazon Inspector when the image scan finding is created, updated, or closed. For more information, see Enhanced scanning.

Event pattern:

{
  "source": ["aws.inspector2"],
  "detail-type": ["Inspector2 Finding"]
}

Finding Example:

{
    "version": "0",
    "id": "42dbea55-45ad-b2b4-87a8-afaEXAMPLE",
    "detail-type": "Inspector2 Finding",
    "source": "aws.inspector2",
    "account": "123456789012",
    "time": "2021-12-03T18:02:30Z",
    "region": "us-east-2",
    "resources": [
        "arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample/sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77eEXAMPLE"
    ],
    "detail": {
        "awsAccountId": "123456789012",
        "description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.",
        "findingArn": "arn:aws:inspector2:us-east-2:123456789012:finding/be674aaddd0f75ac632055EXAMPLE",
        "firstObservedAt": "Dec 3, 2021, 6:02:30 PM",
        "inspectorScore": 6.5,
        "inspectorScoreDetails": {
            "adjustedCvss": {
                "adjustments": [],
                "cvssSource": "REDHAT_CVE",
                "score": 6.5,
                "scoreSource": "REDHAT_CVE",
                "scoringVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
            }
        },
        "lastObservedAt": "Dec 3, 2021, 6:02:30 PM",
        "packageVulnerabilityDetails": {
            "cvss": [
                {
                    "baseScore": 6.5,
                    "scoringVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                    "source": "REDHAT_CVE",
                    "version": "3.0"
                },
                {
                    "baseScore": 5.8,
                    "scoringVector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
                    "source": "NVD",
                    "version": "2.0"
                },
                {
                    "baseScore": 8.1,
                    "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
                    "source": "NVD",
                    "version": "3.1"
                }
            ],
            "referenceUrls": [
                "https://access.redhat.com/errata/RHSA-2020:3915"
            ],
            "source": "REDHAT_CVE",
            "sourceUrl": "https://access.redhat.com/security/cve/CVE-2019-17498",
            "vendorCreatedAt": "Oct 16, 2019, 12:00:00 AM",
            "vendorSeverity": "Moderate",
            "vulnerabilityId": "CVE-2019-17498",
            "vulnerablePackages": [
                {
                    "arch": "X86_64",
                    "epoch": 0,
                    "name": "libssh2",
                    "packageManager": "OS",
                    "release": "12.amzn2.2",
                    "sourceLayerHash": "sha256:72d97abdfae3b3c933ff41e39779cc72853d7bd9dc1e4800c5294dEXAMPLE",
                    "version": "1.4.3"
                }
            ]
        },
        "remediation": {
            "recommendation": {
                "text": "Update all packages in the vulnerable packages section to their latest versions."
            }
        },
        "resources": [
            {
                "details": {
                    "awsEcrContainerImage": {
                        "architecture": "amd64",
                        "imageHash": "sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77e5EXAMPLE",
                        "imageTags": [
                            "latest"
                        ],
                        "platform": "AMAZON_LINUX_2",
                        "pushedAt": "Dec 3, 2021, 6:02:13 PM",
                        "registry": "123456789012",
                        "repositoryName": "amazon/amazon-ecs-sample"
                    }
                },
                "id": "arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample/sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77EXAMPLE",
                "partition": "N/A",
                "region": "N/A",
                "type": "AWS_ECR_CONTAINER_IMAGE"
            }
        ],
        "severity": "MEDIUM",
        "status": "ACTIVE",
        "title": "CVE-2019-17498 - libssh2",
        "type": "PACKAGE_VULNERABILITY",
        "updatedAt": "Dec 3, 2021, 6:02:30 PM"
    }
}

https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html

profile picture
專家
Gary Mclean
已回答 4 個月前
0

Hi,

Did you notice

When enhanced scanning is turned on, Amazon ECR sends an event to EventBridge when 
the scan frequency for a repository is changed. Amazon Inspector emits events to EventBridge 
when an initial scan is completed and when an image scan finding is created, updated, or closed.

in https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html

If you look at this post detailling EventBridge integration https://devpress.csdn.net/cloudnative/62f3778f7e66823466186b5b.html, events are raised when a (new) vulnerability is found not when a scan (with already known vulnerabilities) is done.

I guess that this has to be confirmed by some tests: v1 of image (no vuln -> no event), v2 with vuln -> event, v3 with no vuln -> no event, v4 with vuln -> event.

Best,

Didier

profile pictureAWS
專家
Didier_Durand
已回答 4 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容