Lab:AWS ECR Image Scanning for Vulnerabilities
Prerequisites
Configure AWS CLI
- Configure AWS CLI with your credentials:
aws configure- Provide AWS Access Key ID, Secret Access Key, Default region (e.g.,
us-west-2), and Default output format (e.g.,json).
- Provide AWS Access Key ID, Secret Access Key, Default region (e.g.,
Hands on Lab
-
Change the directory.
cd /workspaces/www-project-eks-goat/docker-lab -
Fetch your AWS Account ID:
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) -
Create a new repository in Amazon ECR.
aws ecr create-repository --repository-name k8svillage-ecr-repo --region us-west-2 --image-scanning-configuration scanOnPush=true -
Verify the repository creation:
aws ecr describe-repositories --repository-name k8svillage-ecr-repo --region us-west-2 -
Log in to your ECR registry.
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com -
Create a sample Dockerfile, for building image.
cat <<EOF > Dockerfile FROM ubuntu:latest ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y curl && apt-get clean CMD ["bash"] EOF -
Build the Docker image:
docker build -t k8svillage-ecr-repo . -
Tag the Docker image for ECR:
docker tag k8svillage-ecr-repo:latest ${ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/k8svillage-ecr-repo:latest -
Push the Docker image to ECR:
docker push ${ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/k8svillage-ecr-repo:latest -
Retrieve image details dynamically, to verify the results.
IMAGE_DIGEST=$(aws ecr describe-images --repository-name k8svillage-ecr-repo --region us-west-2 --query 'imageDetails[0].imageDigest' --output text) -
Retrieve scan findings.
aws ecr describe-image-scan-findings --repository-name k8svillage-ecr-repo --image-id imageDigest=${IMAGE_DIGEST} --region us-west-2
In case on error in the scan, try in the another region.
Optional: View Scan Results in AWS Console
- Navigate to the Amazon ECR service in the AWS Management Console.
- Select your repository, then select the image.
- Click on Vulnerabilities to view detailed scan results.
Clean Up Resources
-
Delete the ECR repository:
aws ecr delete-repository --repository-name k8svillage-ecr-repo --region us-west-2 --force -
Remove the Docker image locally:
docker rmi ${ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/k8svillage-ecr-repo:latest -
Delete the Dockerfile:
rm Dockerfile
Note: In case of error StartImageScan seems to be disabled when Enhanced scanning is enabled, visit repost.aws