AWS-030 Amazon Web Services (AWS)

ECR repositories have image scanning enabled.

ECR repositories have image scanning enabled.

Domain
Amazon Web Services (AWS)
Area
Serverless / Containers
Automated / manual
Automated

Risk if it fails

Vulnerable images get deployed to production.

Shipping unscanned container images means known, fixable vulnerabilities go live — attackers simply look up the public exploit for that version.

How Tess tests it

1 test — each concludes only on cited evidence.

ECR repositories have image scanning enabled.

Automated
Procedure
Confirm scanOnPush is enabled per repository.

Read-only command 

aws ecr describe-repositories --query 'repositories[].{Repo:repositoryName,Scan:imageScanningConfiguration.scanOnPush}'

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-030 against your evidence?

Book a demo