Onboarding AWS Elastic Container Registry
To configure container registry scanning of an AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Elastic Container Registry A collection of repositories used to store and access container images. (ECR), you need to onboard the registry to CloudGuard.
Prerequisites
Before onboarding your Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry for scanning, select a type of the hosting environment and an applicable authentication method:
-
AWS User Access Key - Standard AWS user access key with the policy AmazonEC2ContainerRegistryReadOnly required for read-only access to the applicable ECR.
-
AWS Node Group Role - For an EKS Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises. cluster created in the AWS environment, CloudGuard needs the IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. role of the EKS node to access the AWS services.
To use this option, make sure that:
-
Your host cluster is an EKS cluster.
-
Your EKS cluster is on the same AWS account as the registry.
-
The Amazon EKS worker node IAM role (NodeInstanceRole) has sufficient permissions to access the ECR.
-
Metadata API is enabled on the EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. node. Enable it again if it is disabled. For more details, see Amazon EC2 documentation.
To learn more about these requirements, see AWS Node Group Role for Amazon ECR.
-
-
AWS Custom Role for Amazon ECR (Kubernetes) - For an EKS cluster created in the AWS environment, CloudGuard needs the custom IAM role to scan ECR registries in the same or across different AWS accounts.
To use this option, make sure that:
-
Your host cluster is an EKS cluster.
-
You have a custom role with sufficient permissions to access the ECR.
-
The IAM role NodeInstanceRole attached to the EKS cluster has the
sts:AssumeRole
permissions. -
Metadata API is enabled on the EC2 node. If it is disabled, enable it again. For more details, see Amazon EC2 documentation.
-
Minimum required agent version: 2.23.0
To learn more about these requirements, see AWS Custom Role for Amazon ECR (Kubernetes).
-
-
AWS User Access Key - Standard AWS user access key with the policy AmazonEC2ContainerRegistryReadOnly required for read-only access to the applicable ECR.
-
AWS ECS Task Role - For an ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. cluster created in the AWS environment, CloudGuard needs the IAM role of the ECS cluster to access the AWS services.
To use this option, make sure that:
-
Your host cluster is an ECS cluster.
-
Your ECS cluster is on the same AWS account as the registry.
-
The Amazon ECS task IAM role (TaskRole) has sufficient permissions to access the ECR.
-
Minimum required agent version: 2.28.0.
-
-
AWS Custom Role for Amazon ECR (AWS ECS) - For an ECS cluster created in the AWS environment, CloudGuard needs the custom IAM role to scan ECR registries in the same or across different AWS accounts.
To use this option, make sure that:
-
Your host cluster is an ECS cluster.
-
You have a custom role with sufficient permissions to access the ECR.
-
The IAM role TaskRole attached to the ECS cluster has the
sts:AssumeRole
permissions -
Minimum required agent version: 2.28.0.
To learn more about these requirements, see Special Roles.
-
Onboarding
To onboard a Container Registry to CloudGuard:
-
In the CloudGuard portal, navigate to Asset > Environments.
-
From the top menu, select Add > Container Registry and follow the setup steps.
-
In the Container Registry Onboarding wizard, enter the registry details:
- Environment Name - Enter a new name for the registry or use the default name. This name allows you to identify the registry later in CloudGuard.
-
Environment Description - Optionally, enter a description.
-
Select an Organizational Unit.
-
Select the type of environment to host your scanner - Kubernetes or AWS ECS scanner.
-
Select a Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster or an AWS environment on which you can run the registry scanner:
-
For Kubernetes, select from the list of clusters with enabled Image Assurance. For a new cluster, click Onboard a new Kubernetes Cluster and see Onboarding Kubernetes Clusters. In this case, you quit the registry onboarding and, after onboarding a new cluster, you need to start the registry onboarding from the beginning.
-
For AWS, select from the list of all AWS environments onboarded to CloudGuard.
-
-
Choose Registry type - Select the AWS Elastic Container Registry (ECR).
-
Registry URI - Enter the approved endpoint name of your ECR in this format:
<aws_account_id>.dkr.ecr.<region>.amazonaws.com
.Important - Make sure the URI does not contain
/<subfolder>
afteramazonaws.com
. -
Authentication Method - Select one of the methods:
-
Pull Secret Name - Create the Kubernetes secret in the same namespace where the Check Point Image Assurance agents are deployed. The secret must contain the image pull credentials.
Make sure that the
<secret-name>
is a valid Kubernetes name. For more details, see the Kubernetes Documentation.To create the secret, run:
kubectl create secret docker-registry <secret-name> \
--namespace <namespace> \ # must be the same namespace as the CloudGuard agent
--docker-server=<registry-uri> \ # <aws_account_id>.dkr.ecr.<region>.amazonaws.com
--docker-username=<AWS_ACCESS_KEY> \
--docker-password=<AWS_SECRET_KEY>
-
AWS Node Group Role or AWS ECS Task Role
-
AWS Custom Role
Role ARN - Use the ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. of the custom role created in Special Roles.
To use these methods, make sure the hosting cluster satisfies all the prerequisites in Prerequisites.
-
-
Click Next to continue to Cluster Configurations.
In this step, you configure the CloudGuard Service Account credentials if in Step 1 you selected to onboard with a new cluster or with the existing cluster that requires an agent update.
For onboarding with the hosting cluster that has updated agents, this step is skipped.
-
Configure a Service Account by one of these methods:
-
Select an existing Service Account with its corresponding API Key.
-
Enter a Service Account manually.
-
Click Add Service Account to create a new account.
-
-
Click Next to continue to the next step.
This step appears when you select to associate the registry with a new cluster or with an existing cluster that requires an agent update. CloudGuard instructs you how to install Image Assurance agents or to update them to the latest version on the cluster.
For onboarding with the hosting cluster that has updated agents, this step is skipped.
CloudGuard shows the details of your new registry and its related cluster.
-
Follow the on-screen instructions to copy the Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. commands and run them on your cluster with Helm 3.
-
Click Next.
CloudGuard shows the full details of your new registry and its related cluster. If your registry onboarding includes onboarding or updating the cluster, this page shows the cluster onboarding summary. The cluster deployment takes several minutes, and you can see its progress in the Cluster and Registry Status.
For more information on the cluster onboarding summary, see STEP 4 - Onboarding Summary.
-
Wait for the deployment completion based on the Cluster and Agent Status or click Finish to skip the process.
Follow the on-screen instructions to use the provided CloudFormation Template and launch the CFT for the ECS scanner.
-
Select to use a new ECS cluster or an existing one.
-
Use the URL to review the CloudFormation Template.
-
Open the AWS Secrets Manager and click Secrets.
-
Click Store a new secret to create an image pull secret with:
-
Secret type: Other type of secret
-
Key: <ECR_URI>
-
Value: <AWS_ACCESS_KEY>:<AWS_SECRET_KEY>
-
-
Open the image pull secret and copy Secret ARN from Secret details. You need this ARN in step 6g.
-
In the CloudGuard wizard, click the link in step 4 to start the CloudFormation Stack Creation Process in your AWS account:
-
On the Stacks page, click Create stack.
-
In Step 1 Create stack, for Prepare template, select Choose an existing template.
-
For Template source, select Amazon S3 URL.
-
In the Amazon S3 URL field, paste the URL you copied in step 2 and click Next.
-
In Step 2 Specify stack details, enter a name for the stack.
-
In Parameters > CloudGuard, paste these details copied from step 5 of the CloudGuard wizard:
-
Environment ID
-
CloudGuard API Key ID
-
CloudGuard API Key Secret
Optionally, you can configure a proxy server and enter these details for the proxy address and proxy bypass:
-
Optional - HTTPS Proxy address - Enter an HTTPS address for a network proxy server
-
Optional - Proxy bypass list - Enter one or more addresses that should bypass the proxy
-
-
In AWS, enter these details:
-
Subnet - Select a subnet.
-
Optional - Registry Secret ARN - Enter the ARN of the secret created in step 3.
-
Optional - Custom CA Certificates ARN - see Certificate for AWS ECS Scanner.
-
-
-
After the creation of the stack, click Finish.
CloudGuard opens the onboarded registry. For onboarding validation, see the Scanners tab that shows the status of the registry and its scanning environment (cluster or AWS ECS).
For registries with the Kubernetes scanner, the related Kubernetes cluster page shows information about the registries that the cluster scans, in the list on Blades > Image Assurance > Image Scan Engine agent.
Special Roles
For the Kubernetes scanner:
The worker node running on your hosting cluster needs the IAM permissions to access the ECR. Kubernetes clusters created with automation like EKS ETL have these permissions by default. Kubernetes clusters created manually may not have the permissions, so you have to add them.
To verify the cluster configuration:
-
Select the cluster to use as a hosting cluster.
-
From the Compute tab, add a new node group or select an existing one.
-
In the selected node group, go to the Details tab.
-
Below Node IAM role ARN, click the ARN link to open the Node Group Role configuration for the attached Role in the EKS cluster.
-
In the Permissions tab, make sure that the AmazonEC2ContainerRegistryReadOnly managed policy is attached to the role.
The worker node running on your hosting cluster needs the custom IAM permissions to access an ECR.
-
On your AWS console, open the IAM Service.
-
Create a custom IAM role on the AWS account of your ECR:
Sample Role PolicyCopy{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:ListTagsForResource"
],
"Resource": "arn:aws:ecr:*:<AWS-Account-ID where ECR located>:repository/*"
},
{
"Effect": "Allow",
"Action": ["ecr:GetAuthorizationToken"],
"Resource": "*"
}
]
} -
Create a role trust relationship to give the EKS account access to the ECR account:
Sample Role Trust Relationship
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-Account-ID where EKS Located>:root"
},
"Action": "sts:AssumeRole"
}
]
} -
Select the cluster to use as a hosting cluster.
-
On the Compute tab, add a new node group or select an existing one.
-
In the Node group section, select the created node group or the default node group.
-
In the selected node group, go to the Details tab.
-
Below Node IAM role ARN, click the ARN link to open the Node Group Role configuration for the attached Role in the EKS cluster.
-
In the Permissions tab, click Add permissions to create a new IAM policy.
-
Select Create inline policy, click JSON to edit the policy, and add the sample policy provided below.
Sample PolicyThis policy uses an ARN of the Custom-IAM-Role that you created in Step 2.
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Resource": "<ARN-Custom-IAM-Role>"
}
]
} -
Click Next.
-
Give a name to the policy and click Create policy. The policy is added and attached to the IAM Node Group Role.
For the AWS ECS scanner:
The ECS Task Role attached to the Service needs the IAM permissions to access the ECR. ECS clusters created manually may not have the permissions, so you have to add them.
To verify the cluster configuration:
-
Open the Amazon Elastic Container Service console.
-
Select the cluster to use as a hosting cluster.
-
From the Task tab, select one of the tasks.
-
In the Configuration panel, click Task definition.
-
Below Task role, click the link to open the Task Role configuration for the attached Role in the ECS cluster.
-
In the Permissions tab, make sure that the AmazonEC2ContainerRegistryReadOnly managed policy is attached to the role.
The ECS Task Role attached to the Service needs the custom IAM permissions to access the ECR.
-
On your AWS console, open the IAM Service.
-
Create a custom IAM role on the AWS account of your ECR:
Sample Role PolicyCopy{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:ListTagsForResource"
],
"Resource": "arn:aws:ecr:*:<AWS-Account-ID where ECR located>:repository/*"
},
{
"Effect": "Allow",
"Action": ["ecr:GetAuthorizationToken"],
"Resource": "*"
}
]
} -
Create a role trust relationship to give the EKS account access to the ECR account:
Sample Role Trust Relationship
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-Account-ID where EKS Located>:root"
},
"Action": "sts:AssumeRole"
}
]
} -
Open the Amazon Elastic Container Service console.
-
Select the cluster to use as a hosting cluster.
-
From the Task tab, select one of the tasks.
-
In the Configuration panel, click Task definition.
-
Below Task role, click the link to open the Task Role configuration for the attached Role in the ECS cluster.
-
In the Permissions tab, click Add permissions to create a new IAM policy.
-
Select Create inline policy, click JSON to edit the policy, and add the sample policy provided below.
Sample PolicyThis policy uses an ARN of the Custom-IAM-Role that you created in Step 2.
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Resource": "<ARN-Custom-IAM-Role>"
}
]
} -
Click Next.
-
Give a name to the policy and click Create policy. The policy is added and attached to the IAM Node Group Role.