Deepbits can analyze your docker images on AWS ECR. If your organization plan to use AWS ECR as your docker container registry then this is the best way to integrate deepbits.
- List all your ECR images on the deepbits app.
- Watch your ECR images, if you click the watch button on an image, whenever the image is updated or deepbits updates the knowledge base, we'll automatically rescan your image to reflect the latest scan result.
- Detect vulnerabilities and malware for your image just like On-premises images.
- Execute policies on your ECR images.
- Go to the AWS accounts page in the deepbits app.
- Choose your account primary region, we'll create a cloudformation stack for your AWS account in the region you selected.
- Create the IAM role with our cloudformation template.
- Finish the setup by filling in RoleARN and ExternalId from the cloudformation output.
This section shows the top vulnerabilities or malware we found on your ECR repositories.
The section will list all the ECR images we found in your AWS account. you can take a quick look at the issues we found for each image.
Clicking this button will redirect you to the image detail page, you can view more information on this image.
You can watch on the image if haven't watched. By clicking this button deepbits will auto-scan your image either image change or our knowledge base updated.
Trigger a scan on your ECR image if you want to refresh your scan result now.
You can check out On-premises image detail docs for this section, ECR image detail is almost the same as On-Premises image detail.
As an account owner, you may be concerned about how deepbits access your AWS data and store it.
By creating an IAM role with our cloudformation template, you'll create an IAM role that only allows deepbits scan agent to access limited permissions. You can view the detail of the template by clicking this URL.
Only these two principals can assume your AWS IAM role.
733851098553 is the deepbits account id, which means only deepbits can use the IAM roles created in your AWS account.
arn:aws:iam::aws:policy/SecurityAudit - monitors accounts for compliance with security requirements.
drcloud-additional-policy - read-only permissions in order to complete the watch ECR image feature.
We only store necessary information like your ECR repository list and image list information in our database. Each account's data only can be visited by the account owner safely.
Whenever you don't want to use the deepbits AWS-related feature, you can always click ~Unlink Account~ button on AWS - Accounts page. By clicking the unlink button we'll permanently delete all your AWS account and ECR data in our database. This action can't be undone.
Updated 9 days ago