AWS ECR Analysis

Deepbits can analyze your docker images on AWS ECR. If your organization plan to use AWS ECR as your docker container registry then this is the best way to integrate deepbits.

Features

  • List all your ECR images on the deepbits app.
  • Watch your ECR images, if you click the watch button on an image, whenever the image is updated or deepbits updates the knowledge base, we'll automatically rescan your image to reflect the latest scan result.
  • Detect vulnerabilities and malware for your image just like On-premises images.
  • Execute policies on your ECR images.

Setup

  • Go to the AWS accounts page in the deepbits app.
  • Choose your account primary region, we'll create a cloudformation stack for your AWS account in the region you selected.

  • Create the IAM role with our cloudformation template.

  • Finish the setup by filling in RoleARN and ExternalId from the cloudformation output.

Overview of ECR dashboard

Malware and vulnerability summary

This section shows the top vulnerabilities or malware we found on your ECR repositories.

Repository List

The section will list all the ECR images we found in your AWS account. you can take a quick look at the issues we found for each image.

Actions on each image

View

Clicking this button will redirect you to the image detail page, you can view more information on this image.

Watch

You can watch on the image if haven't watched. By clicking this button deepbits will auto-scan your image either image change or our knowledge base updated.

Rescan

Trigger a scan on your ECR image if you want to refresh your scan result now.

ECR image detail

You can check out On-premises image detail docs for this section, ECR image detail is almost the same as On-Premises image detail.

Security Concern

As an account owner, you may be concerned about how deepbits access your AWS data and store it.

Access AWS data

By creating an IAM role with our cloudformation template, you'll create an IAM role that only allows deepbits scan agent to access limited permissions. You can view the detail of the template by clicking this URL.

Trust relationship

Only these two principals can assume your AWS IAM role.

"arn:aws:iam::733851098553:role/drcloud-scanner-role",
"arn:aws:iam::733851098553:user/drcloud-scanner"

733851098553 is the deepbits account id, which means only deepbits can use the IAM roles created in your AWS account.

Permissions we need

arn:aws:iam::aws:policy/SecurityAudit - monitors accounts for compliance with security requirements.
drcloud-additional-policy - read-only permissions in order to complete the watch ECR image feature.

Store AWS data

We only store necessary information like your ECR repository list and image list information in our database. Each account's data only can be visited by the account owner safely.

Data deletion

Whenever you don't want to use the deepbits AWS-related feature, you can always click ~Unlink Account~ button on AWS - Accounts page. By clicking the unlink button we'll permanently delete all your AWS account and ECR data in our database. This action can't be undone.