Image Scanning

5 minutes 5 Questions

Image Scanning is a feature in Amazon ECR that helps users identify security vulnerabilities in their Docker container images. When an image is pushed to Amazon ECR, it can be automatically scanned for vulnerabilities using the Common Vulnerabilities and Exposures (CVEs) database, which is managed and updated by the open source community. Users can review the scan findings and prioritize the necessary actions to mitigate potential security risks. This helps in maintaining a secure and compliant container image repository.

Guide to Image Scanning in Amazon ECR

What is it?
Image scanning in Amazon Elastic Container Registry (ECR) is a feature that helps in identifying software vulnerabilities in your Docker images. It works by comparing the packages included in the image against a database of known vulnerabilities.

Why is it important?
With Image Scanning, you can prevent deploying containers that would put your environment at risk, indicating security loopholes before application is exposed to live traffic. This is crucial for ensuring security of your applications in the Amazon ECR.

How does it work?
When you push an image into ECR, Amazon can automatically scan it for vulnerabilities. It uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project to identify any known issues in the software packages included in your image.

Exam Tips: Answering Questions on Image Scanning
1. Understand the purpose and functionality of Image Scanning in AWS.
2. Remember that image scanning happens every time an image is pushed to the Amazon ECR.
3. Being a best practice, do not disable the Image Scanning feature.
4. Familiarize yourself with how image scan findings are presented in the ECR console.
5. Identified vulnerabilities are compared against the CVEs database.
6. Understand that although image scanning is automated, acting on its findings (e.g., patching an image) is a manual process.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

You noticed a patch from a vulnerability found on one of your container images. How can you assess the container image using Amazon ECR?

Initiate a manual scan of the specific image Change image tagging Clone the image to another repository Enable Amazon ECR cross-region replication

Correct Answer: Initiate a manual scan of the specific image

In Amazon ECR, you can trigger a manual scan of a container image when needed. This is particularly useful if a patch was applied to a vulnerability. Cloning the image, changing image tagging, enabling cross-region replication, creating lifecycle policy, or using an Amazon S3 bucket would not perform the required image scan.

Question 2

You are using Amazon ECR to store container images. What is the best way to automate vulnerability scanning for every new image pushed to an ECR repository?

Create Amazon CloudWatch Events Rule Enable Scan on push option in the ECR repository Assign an AWS KMS Key Use AWS Config

Correct Answer: Enable Scan on push option in the ECR repository

The Scan on push option in Amazon ECR repository allows for automatic vulnerability scanning of images when they are pushed to the repository. Using AWS Config, CloudWatch Events Rule, assigning KMS Key, ECR Lifecycle Policies, and Data Pipeline would not provide direct image scanning for new images in ECR repository.

Question 3

An organization is using CycleCI to build Docker images for their applications. They want to add security scanning to automatically scan images for vulnerabilities. What service can be directly integrated into this workflow?

Amazon S3 AWS Glue Amazon ECR AWS EMR

Correct Answer: Amazon ECR

Amazon Elastic Container Registry (ECR) provides native integration with image scanning. It can automatically scan images for vulnerabilities upon getting pushed to a repository. AWS Services like S3, EMR, Glue, Elastic Beanstalk, and Lambda would not provide direct image scanning services for Docker images.

Go Premium