Amazon ECR Integration

This integration enables the Amazon Elastic Container Registry (ECR) to automatically trigger an event or action every time a new container is pushed into the registry.

Sysdig offers two different operational modes for this integration: inline or backend scanning.

The final goal of integration is the same:

  • Images are scanned and evaluated against your Sysdig Secure image scanning policies

  • The image scanning report and evaluation is available in Sysdig Secure

Planning: Inline vs. Backend Scanning

Consider the following points when deciding which option to choose.

With Inline Scanning Mode:

Images will be scanned directly in an AWS pipeline, sending just the required metadata to perform the policy evaluation to the Sysdig backend.

  • No need to configure any registry credentials for Sysdig Secure

  • No need to expose your ECR registry to the Sysdig Secure backend

  • Sysdig Secure will not retrieve the image contents, only the metadata that is required to perform the policy evaluation

  • Scanning will be performed inside the CodeBuild pipeline allocating ephemeral resources

With Backend Scanning Mode:

The image reference is sent to the Sysdig backend, which will then pull the image and perform the scan.

  • Your ECR registry must be reachable by the Sysdig Secure backend

  • Registry credentials are required, but they are pushed automatically by the lambda function, no need for manual configuration

  • Sysdig Secure will retrieve the full image contents in order to perform the scan

Prerequisites

  • Amazon ECR registry that is used to push the images you want to scan

  • Sysdig Secure account and the associated API token

  • IAM permissions to create an EventBridge rule

  • For inline scanning: IAM permissions to create a CodeBuild project

  • For backend scanning

    • IAM permission to create a lambda function

    • ECR registry must be accessible from the Sysdig Secure backend

Deploy the Integration

  1. Log into your AWS account and launch the following CloudFormation template,

    ecr1.png

    Ensure you are deploying in the desired AWS region, and click Next.

  2. Configure the primary integration parameters.

    ecr2.png
    • Stack name: Defaults to ECRImageScanning. You can use any name you wish.

    • ScanningType: Defaults to inline. Choose Backend if desired.

    • SysdigSecureAPIToken: You can retrieve this token by accessing your Sysdig Secure account> Settings.

    • SysdigSecureEndpoint: The backend used to perform the policy evaluation. Defaults to the Sysdig Secure SaaS endpoint.

    Click Next.

  3. Check the configuration options and edit them if necessary.

    You will be presented with the default configuration options associated with the creation of a new AWS CloudFormation stack: tags, permissions, stack policy, etc. For the default case, no modifications are required for the integration to work. Adjust to your organization policies as needed.

  4. Finalize resource creation.

    Review the parameters and check the I acknowledge... box for resource creation.

    ecr3.png

    Click Create Stack.

  5. Confirm successful completion.

    As soon as the CloudFormation stack is marked CREATE_COMPLETE, the integration is finalized.

    • Any image you push to the ECR registries in this AWS region will be automatically scanned

    • Image scanning results will be available in Sysdig Secure a few minutes after the push

    ecr4.png