RyanFrench
commented
4 years ago This woud be very benefical to my team, as long as this could work cross account. We curenty host ECR in one account, and our multiple ECS clusters in different accounts. I have been asked to investigate triggering scans on ECR for all images with containers running in any of our accounts and was looking to do this with a lambda, but an integrated solution would be much nicer.
Community Note
Tell us about your request
Regarding ECR’s image scanning, we have to find which tasks are actually using the container image which got reported that it has vulns in it. It would be great if we can lookup and/or list-up the tasks (and the services which refer to them) across AWS accounts from within the ECR management console.
and/or
It’s good if it just includes “Here is a task/service list which are using this vulnerable image” in the ECR events.
Which service(s) is this request for?
ECS, ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
The ECR image scanning feature can report images’ vulns for us but we have to find out by ourselves whether we have running tasks with that image, by looking around the ECS console or grepping task/service definitions in our git repositories for example. We can make the ECR’s vulns reports more actionable if it’s possible to lookup such vulnerable ECS tasks/services from the ECR management console quickly.
Are you currently working around this issue?
I have not implemented yet, but if I do that, I’d keep track of all the active container image names by recording start/stop ECS task events into DynamoDB table and/or Elasticsearch to lookup vulnerable tasks/services with a Lambda function which subscribes the ECR image scanning events.
Additional context
Attachments