AWS – Amazon Inspector enhances container security by mapping ECR images to running containers
Amazon Inspector now automatically maps your Amazon Elastic Container Registry (Amazon ECR) images to specific tasks running on Amazon Elastic Container Service (Amazon ECS) or pods running on Amazon Elastic Kubernetes Service (Amazon EKS), helping identify where the images are actively in use. This enables you to focus your limited resources on patching most critical vulnerable images that are associated with running workloads, improving security and mean- time to remediation.
With this launch, you can use Amazon Inspector console or APIs to identify your actively used container images, when you last used an image, and which clusters are running the image. This information will be included in your findings and resource coverage details, and will be routed to EventBridge. You can also control how long an image is monitored by Inspector after its ‘last in use’ date by updating the ECR re-scan duration using the console or APIs. This is in addition to the existing push and pull date settings. Your Amazon ECR images with continuous scanning enabled on Amazon Inspector will automatically get this updated data within your Amazon Inspector findings.
Amazon Inspector is a vulnerability management service that continually scans AWS workloads including Amazon EC2 instances, container images, and AWS Lambda functions for software vulnerabilities, code vulnerabilities, and unintended network exposure across your entire AWS organization.
This feature is available at no additional cost to Amazon Inspector customers scanning thier container images in Amazon Elastic Container Registry (ECR). Feature is available in all commercial and AWS GovCloud (US) Regions where Amazon Inspector is available.
Read More for the details.
