I have never used the ECR scan function, so I made it with CDK.
As shown below, you can use the automatic scan function just by adding image_scan_on_push to the argument of Repository. CDK convenient
from aws_cdk import (
aws_ecr as ecr,
core,
)
repository = ecr.Repository(self, "Repo",
image_scan_on_push=True
)
After executing the above, ECR and ECRImageScanOnPush are completed.
$ cdk diff repo
...
Resources
[+] AWS::ECR::Repository Repo Repo02AC86CF
[+] Custom::ECRImageScanOnPush Repo/ImageScanOnPush/Resource RepoImageScanOnPush94CFD98F
[+] AWS::IAM::Role AWS679f53fac002430cb0da5b7982bd2287/ServiceRole AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
[+] AWS::IAM::Policy AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/DefaultPolicy AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E
[+] AWS::Lambda::Function AWS679f53fac002430cb0da5b7982bd2287 AWS679f53fac002430cb0da5b7982bd22872D164C4C
...
When I checked from the CLI whether it was actually made, I was able to confirm that it was certainly made. It also included image scan settings
$ aws --region us-east-1 ecr describe-repositories | jq .
{
"repositories": [
{
"repositoryArn": "arn:aws:ecr:us-east-1:000000000000:repository/repo-repo0-ny7qkwdk6aru",
"registryId": "000000000000",
"repositoryName": "repo-repo0-ny7qkwdk6aru",
"repositoryUri": "000000000000.dkr.ecr.us-east-1.amazonaws.com/repo-repo0-ny7qkwdk6aru",
"createdAt": 1589559800,
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
"scanOnPush": true
}
}
]
}
I've completed what I want to do above, but when I created the resource, something other than ECR was created as shown below. Let's check if this is also done
[+] AWS::IAM::Role AWS679f53fac002430cb0da5b7982bd2287/ServiceRole AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
[+] AWS::IAM::Policy AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/DefaultPolicy AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E
[+] AWS::Lambda::Function AWS679f53fac002430cb0da5b7982bd2287 AWS679f53fac002430cb0da5b7982bd22872D164C4C
First of all, Lambda, but there was no resource written as AWS
$ aws --region us-east-1 lambda list-functions | jq .Functions[].FunctionName | grep AWS
$
Next is IAM Role, but this is also not available So I couldn't find the IAM Policy associated with it
$ aws --region us-east-1 iam list-roles | jq .Roles[].RoleName | grep AWS679f53fac002430cb0da5b7982bd2287
$
In other words, I think that there are resources on the AWS side rather than resources that can be set and confirmed on the user side. I think it will probably be Lambda and its IAM Role when scanning ECR. I think it will be fixed soon, but I felt a little familiar with the inside of AWS.
-Image Scan --Amazon ECR -[Super long-awaited update] Vulnerability scanning function for ECR has been provided | Developers.IO
Recommended Posts