Amazon ECR Image scanning

Amazon ECR image scanning uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project to detect software vulnerabilities in container images and provide a list of scan findings, which can be easily integrated into ThreatLockDown thanks to the AWS CloudWatch Logs integration.

Amazon ECR sends an event to Amazon EventBridge when an image scan is completed. The event itself is only a summary and does not contain the details of the scan findings. However, it is possible to configure a Lambda function to request the scan findings details and store them in CloudWatch Logs. Here is a quick summary of what the workflow looks like:

  1. An image scan is triggered.

  2. Once the scan is completed Amazon ECR sends an event to EventBridge.

  3. The "Scan completed" event triggers a Lambda function.

  4. The lambda function takes the data from the "Scan completed" event and requests the scan details.

  5. The Lambda function creates a log group and a log stream in CloudWatch Logs to store the response received.

  6. ThreatLockDown pulls the logs from the CloudWatch log groups using the CloudWatch Logs integration.

The following sections cover how to configure AWS to store the scan findings in CloudWatch Logs and how to ingest them into Wazuh.

AWS configuration

AWS provides a template that logs to CloudWatch the findings of Amazon ECR scans of images. The template uses an AWS Lambda function to accomplish this.

Uploading the template and creating a stack, uploading the images to Amazon ECR, scanning the images, and using the logger all require specific permissions. Because of this, you need to create a custom policy granting these permissions.

To create a policy using the Amazon Web Services console, follow the AWS documentation.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the ThreatLockDown user.

IAM permissions

You need the permissions listed below inside the sections for RoleCreator and PassRole to create and delete the stack based on the template.

Warning

These permissions must be bound to the specific resources due to overly permissive actions.

{
   "Sid": "RoleCreator",
   "Effect": "Allow",
   "Action": [
      "iam:CreateRole",
      "iam:PutRolePolicy",
      "iam:AttachRolePolicy",
      "iam:DeleteRolePolicy",
      "iam:DeleteRole",
      "iam:GetRole",
      "iam:GetRolePolicy",
      "iam:PassRole"
   ],
   "Resource": "arn:aws:iam::<account-ID>:role/*"
},
{
   "Sid": "PassRole",
   "Effect": "Allow",
   "Action": "iam:PassRole",
   "Resource": "arn:aws:iam::<account-ID>:role/*-LambdaExecutionRole*"
}

CloudFormation stack permissions

You need the following permissions to create and delete any template-based CloudFormation stack.

{
   "Sid": "CloudFormationStackCreation",
   "Effect": "Allow",
   "Action": [
      "cloudformation:CreateStack",
      "cloudformation:ValidateTemplate",
      "cloudformation:CreateUploadBucket",
      "cloudformation:GetTemplateSummary",
      "cloudformation:DescribeStackEvents",
      "cloudformation:DescribeStackResources",
      "cloudformation:ListStacks",
      "cloudformation:DeleteStack",
      "s3:PutObject",
      "s3:ListBucket",
      "s3:GetObject",
      "s3:CreateBucket"
   ],
   "Resource": "*"
}

ECR registry and repository permissions

This Amazon ECR permission allows calls to the API through an IAM policy.

Note

Before authenticating to a registry and pushing or pulling any images from any Amazon ECR repository, you need ecr:GetAuthorizationToken.

{
   "Sid": "ECRUtilities",
   "Effect": "Allow",
   "Action": [
      "ecr:GetAuthorizationToken",
      "ecr:DescribeRepositories"
   ],
   "Resource": "*"
}

Image pushing and scanning permissions

You need the following Amazon ECR permissions to push images. They are scoped down to a specific repository. The steps to push Docker images are described in the Amazon ECR - Pushing a Docker image documentation.

{
   "Sid": "ScanPushImage",
   "Effect": "Allow",
   "Action": [
      "ecr:CompleteLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:InitiateLayerUpload",
      "ecr:BatchCheckLayerAvailability",
      "ecr:PutImage",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:DescribeImageScanFindings",
      "ecr:StartImageScan"
   ],
   "Resource": "arn:aws:ecr:<region>:<account-ID>:repository/<repository-name>"
}

Amazon Lambda and Amazon EventBridge permissions

You need the following permissions to create and delete the resources handled by the Scan Findings Logger template.

{
   "Sid": "TemplateRequired0",
   "Effect": "Allow",
   "Action": [
      "lambda:RemovePermission",
      "lambda:DeleteFunction",
      "lambda:GetFunction",
      "lambda:CreateFunction",
      "lambda:AddPermission"
   ],
   "Resource": "arn:aws:lambda:<region>:<account-ID>:*"
},
{
   "Sid": "TemplateRequired1",
   "Effect": "Allow",
   "Action": [
      "events:RemoveTargets",
      "events:DeleteRule",
      "events:PutRule",
      "events:DescribeRule",
      "events:PutTargets"
   ],
   "Resource": "arn:aws:events:<region>:<account-ID>:*"
 }

How to create the CloudFormation Stack

  1. Download the ECR Image Scan findings logger template from the official aws-samples GitHub repository.

  2. Access CloudFormation and click on Create stack.

  3. Create a new stack using the template from step 1.

  1. Choose a name for the stack and finish the creation process. No additional configuration is required.

  2. Wait until "CREATE_COMPLETE" status is reached. The stack containing the AWS Lambda is now ready to be used.

Once the stack configuration is completed, the Lambda can be tested by manually triggering an image scan. The scan results in the creation of a CloudWatch log group called /aws/ecr/image-scan-findings/<name of the ECR repository> containing the scan results. For every new scan, the corresponding log streams are created inside the log group.

ThreatLockDown configuration

  1. Open the ThreatLockDown configuration file (/var/ossec/etc/ossec.conf) and add the following configuration block:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>5m</interval>
      <run_on_start>yes</run_on_start>
      <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>/aws/ecr/image-scan-findings/name_of_the_ECR_repository</aws_log_groups>
      </service>
    </wodle>
    

    Note

    Check the AWS CloudWatch Logs integration to learn more about how the CloudWatch Logs integration works.

  2. Restart ThreatLockDown to apply the configuration changes.

    • If you are configuring a ThreatLockDown manager:

      # systemctl restart wazuh-manager
      
    • If you are configuring a ThreatLockDown agent:

      # systemctl restart wazuh-agent