Amazon Inspector ECR scanning should be enabled
Description
This control checks whether Amazon Inspector ECR scanning is enabled. For a standalone account, the control fails if Amazon Inspector ECR scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have ECR scanning enabled. In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the ECR scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector ECR scanning enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector. Amazon Inspector scans container images stored in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities.
Remediation
To remediate Amazon Inspector ECR scanning, you need to enable ECR scanning in Amazon Inspector.
Steps
- Navigate to the Amazon Inspector console
- Go to 'Settings' in the left navigation
- Select 'ECR' under 'Scanning'
- Enable 'ECR scanning'
- Configure scanning settings as needed
- Save the configuration
- Verify ECR scanning is active
- For multi-account environments, ensure all member accounts have ECR scanning enabled
- Disassociate any suspended accounts if needed
- Set up monitoring and alerting for scan results