Control: 2 Amazon Inspector ECR scanning should be enabled
Description
This control checks whether Amazon Inspector ECR scanning is enabled. For a standalone account, the control fails if Amazon Inspector ECR scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have ECR scanning enabled.
In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the ECR scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector ECR scanning enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector.
Amazon Inspector scans container images stored in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities to generate package vulnerability findings. When you activate Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces basic scanning, which is provided at no charge by Amazon ECR, with enhanced scanning, which is provided and billed through Amazon Inspector. Enhanced scanning gives you the benefit of vulnerability scanning for both operating system and programming language packages at the registry level. You can review findings discovered using enhanced scanning at the image level, for each layer of the image, on the Amazon ECR console. Additionally, you can review and work with these findings in other services not available for basic scanning findings, including AWS Security Hub and Amazon EventBridge.
Remediation
To enable Amazon Inspector ECR scanning, see Activating scans in the Amazon Inspector User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_inspector_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_inspector_2 --share
SQL
This control uses a named query:
select 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, case when r.steampipe_available = false then 'skip' when ecr_auto_enable then 'ok' when c.account_id is not null and (not ecr_auto_enable or ec2_auto_enable is null ) then 'alarm' else 'alarm' end status, case when r.steampipe_available = false then r.region || ' is not available in the current connection configuration.' when ec2_auto_enable then 'AWS Inspector ECR scanning enabled for region ' || c.region || '(' || c.account_id || ').' when c.account_id is not null and (not ec2_auto_enable and ec2_auto_enable is null) then 'AWS Inspector ECR scanning disabled for region ' || r.region || '(' || r.account_id || ').' else 'AWS Inspector deactivated for region ' || r.region || '(' || r.account_id || ').' end as reason , r.region, r.account_idfrom aws_region as r left join aws_inspector2_organization_configuration as c on r.account_id = c.account_id and r.region = c.region;