Onboarding AWS Elastic Container Registry

To configure container registry scanning of an AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Elastic Container RegistryClosed A collection of repositories used to store and access container images. (ECR), you need to onboard the registry to CloudGuard.

Prerequisites

Before onboarding your ContainerClosed A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry for scanning, select a type of the hosting environment and an applicable authentication method:

  • AWS User Access Key - Standard AWS user access key with the policy AmazonEC2ContainerRegistryReadOnly required for read-only access to the applicable ECR.

  • AWS ECS Task Role - For an ECSClosed Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. cluster created in the AWS environment, CloudGuard needs the IAM role of the ECS cluster to access the AWS services.

    To use this option, make sure that:

    • Your host cluster is an ECS cluster.

    • Your ECS cluster is on the same AWS account as the registry.

    • The Amazon ECS task IAM role (TaskRole) has sufficient permissions to access the ECR.

    • Minimum required agent version: 2.28.0.

  • AWS Custom Role for Amazon ECR (AWS ECS) - For an ECS cluster created in the AWS environment, CloudGuard needs the custom IAM role to scan ECR registries in the same or across different AWS accounts.

    To use this option, make sure that:

    • Your host cluster is an ECS cluster.

    • You have a custom role with sufficient permissions to access the ECR.

    • The IAM role TaskRole attached to the ECS cluster has the sts:AssumeRole permissions

    • Minimum required agent version: 2.28.0.

    To learn more about these requirements, see Special Roles.

Onboarding

To onboard a Container Registry to CloudGuard:

  1. In the CloudGuard portal, navigate to Asset > Environments.

  2. From the top menu, select Add > Container Registry and follow the setup steps.

  3. In the Container Registry Onboarding wizard, enter the registry details:

    1. Environment Name - Enter a new name for the registry or use the default name. This name allows you to identify the registry later in CloudGuard.

    2. Environment Description - Optionally, enter a description.

    3. Select an Organizational Unit.

    4. Select the type of environment to host your scanner - Kubernetes or AWS ECS scanner.

    5. Select a KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster or an AWS environment on which you can run the registry scanner:

      • For Kubernetes, select from the list of clusters with enabled Image Assurance. For a new cluster, click Onboard a new Kubernetes Cluster and see Onboarding Kubernetes Clusters. In this case, you quit the registry onboarding and, after onboarding a new cluster, you need to start the registry onboarding from the beginning.

      • For AWS, select from the list of all AWS environments onboarded to CloudGuard.

    6. Choose Registry type - Select the AWS Elastic Container Registry (ECR).

    7. Registry URI - Enter the approved endpoint name of your ECR in this format: <aws_account_id>.dkr.ecr.<region>.amazonaws.com.

      Important - Make sure the URI does not contain /<subfolder> after amazonaws.com.

    8. Authentication Method - Select one of the methods:

  4. Click Next to continue to Cluster Configurations.

In this step, you configure the CloudGuard Service Account credentials if in Step 1 you selected to onboard with a new cluster or with the existing cluster that requires an agent update.

For onboarding with the hosting cluster that has updated agents, this step is skipped.

  1. Configure a Service Account by one of these methods:

    • Select an existing Service Account with its corresponding API Key.

    • Enter a Service Account manually.

    • Click Add Service Account to create a new account.

  2. Click Next to continue to the next step.

This step appears when you select to associate the registry with a new cluster or with an existing cluster that requires an agent update. CloudGuard instructs you how to install Image Assurance agents or to update them to the latest version on the cluster.

For onboarding with the hosting cluster that has updated agents, this step is skipped.

CloudGuard shows the details of your new registry and its related cluster.

  1. Follow the on-screen instructions to copy the HelmClosed A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. commands and run them on your cluster with Helm 3.

  2. Click Next.

CloudGuard shows the full details of your new registry and its related cluster. If your registry onboarding includes onboarding or updating the cluster, this page shows the cluster onboarding summary. The cluster deployment takes several minutes, and you can see its progress in the Cluster and Registry Status.

For more information on the cluster onboarding summary, see STEP 4 - Onboarding Summary.

  • Wait for the deployment completion based on the Cluster and Agent Status or click Finish to skip the process.

Follow the on-screen instructions to use the provided CloudFormation Template and launch the CFT for the ECS scanner.

  1. Select to use a new ECS cluster or an existing one.

  2. Use the URL to review the CloudFormation Template.

  3. Open the AWS Secrets Manager and click Secrets.

  4. Click Store a new secret to create an image pull secret with:

    • Secret type: Other type of secret

    • Key: <ECR_URI>

    • Value: <AWS_ACCESS_KEY>:<AWS_SECRET_KEY>

  5. Open the image pull secret and copy Secret ARN from Secret details. You need this ARN in step 6g.

  6. In the CloudGuard wizard, click the link in step 4 to start the CloudFormation Stack Creation Process in your AWS account:

    1. On the Stacks page, click Create stack.

    2. In Step 1 Create stack, for Prepare template, select Choose an existing template.

    3. For Template source, select Amazon S3 URL.

    4. In the Amazon S3 URL field, paste the URL you copied in step 2 and click Next.

    5. In Step 2 Specify stack details, enter a name for the stack.

    6. In Parameters > CloudGuard, paste these details copied from step 5 of the CloudGuard wizard:

      • Environment ID

      • CloudGuard API Key ID

      • CloudGuard API Key Secret

    7. In AWS, enter these details:

      • Subnet - Select a subnet.

      • Optional - Registry Secret ARN - Enter the ARN of the secret created in step 3.

      • Optional - Custom CA Certificates ARN - see Certificate for AWS ECS Scanner.

  7. After the creation of the stack, click Finish.

CloudGuard opens the onboarded registry. For onboarding validation, see the Scanners tab that shows the status of the registry and its scanning environment (cluster or AWS ECS).

For registries with the Kubernetes scanner, the related Kubernetes cluster page shows information about the registries that the cluster scans, in the list on Blades > Image Assurance > Image Scan Engine agent.

Special Roles

For the Kubernetes scanner:

The worker node running on your hosting cluster needs the IAM permissions to access the ECR. Kubernetes clusters created with automation like EKS ETL have these permissions by default. Kubernetes clusters created manually may not have the permissions, so you have to add them.

To verify the cluster configuration:

  1. Open the Amazon Elastic Kubernetes Service console.

  2. Select the cluster to use as a hosting cluster.

  3. From the Compute tab, add a new node group or select an existing one.

  4. In the selected node group, go to the Details tab.

  5. Below Node IAM role ARN, click the ARN link to open the Node Group Role configuration for the attached Role in the EKS cluster.

  6. In the Permissions tab, make sure that the AmazonEC2ContainerRegistryReadOnly managed policy is attached to the role.

The worker node running on your hosting cluster needs the custom IAM permissions to access an ECR.

  1. On your AWS console, open the IAM Service.

  2. Create a custom IAM role on the AWS account of your ECR:

    Copy 

      "Version": "2012-10-17", 
      "Statement": [ 
        { 
          "Effect": "Allow", 
          "Action": [ 
            "ecr:GetDownloadUrlForLayer", 
            "ecr:BatchCheckLayerAvailability", 
            "ecr:BatchGetImage", 
            "ecr:DescribeImages", 
            "ecr:DescribeRepositories", 
            "ecr:ListImages", 
            "ecr:ListTagsForResource" 
            ], 
          "Resource": "arn:aws:ecr:*:<AWS-Account-ID where ECR located>:repository/*" 
        }, 
        { 
          "Effect": "Allow", 
          "Action": ["ecr:GetAuthorizationToken"], 
          "Resource": "*" 
        } 
      ] 

  3. Create a role trust relationship to give the EKS account access to the ECR account:
    Copy 

      "Version": "2012-10-17", 
      "Statement": [ 
        { 
          "Sid": "Statement1", 
          "Effect": "Allow", 
          "Principal": { 
            "AWS": "arn:aws:iam::<AWS-Account-ID where EKS Located>:root" 
          }, 
          "Action": "sts:AssumeRole" 
        } 
      ] 

  4. Open the Amazon Elastic Kubernetes Service console.

  5. Select the cluster to use as a hosting cluster.

  6. On the Compute tab, add a new node group or select an existing one.

  7. In the Node group section, select the created node group or the default node group.

  8. In the selected node group, go to the Details tab.

  9. Below Node IAM role ARN, click the ARN link to open the Node Group Role configuration for the attached Role in the EKS cluster.

  10. In the Permissions tab, click Add permissions to create a new IAM policy.

  11. Select Create inline policy, click JSON to edit the policy, and add the sample policy provided below.

    This policy uses an ARN of the Custom-IAM-Role that you created in Step 2.

    Copy 

      "Version": "2012-10-17", 
      "Statement": [ 
        { 
          "Effect": "Allow", 
          "Action": ["sts:AssumeRole"], 
          "Resource": "<ARN-Custom-IAM-Role>" 
        } 
      ] 

  12. Click Next.

  13. Give a name to the policy and click Create policy. The policy is added and attached to the IAM Node Group Role.

For the AWS ECS scanner:

The ECS Task Role attached to the Service needs the IAM permissions to access the ECR. ECS clusters created manually may not have the permissions, so you have to add them.

To verify the cluster configuration:

  1. Open the Amazon Elastic Container Service console.

  2. Select the cluster to use as a hosting cluster.

  3. From the Task tab, select one of the tasks.

  4. In the Configuration panel, click Task definition.

  5. Below Task role, click the link to open the Task Role configuration for the attached Role in the ECS cluster.

  6. In the Permissions tab, make sure that the AmazonEC2ContainerRegistryReadOnly managed policy is attached to the role.

The ECS Task Role attached to the Service needs the custom IAM permissions to access the ECR.

  1. On your AWS console, open the IAM Service.

  2. Create a custom IAM role on the AWS account of your ECR:

    Copy 

      "Version": "2012-10-17", 
      "Statement": [ 
        { 
          "Effect": "Allow", 
          "Action": [ 
            "ecr:GetDownloadUrlForLayer", 
            "ecr:BatchCheckLayerAvailability", 
            "ecr:BatchGetImage", 
            "ecr:DescribeImages", 
            "ecr:DescribeRepositories", 
            "ecr:ListImages", 
            "ecr:ListTagsForResource" 
            ], 
          "Resource": "arn:aws:ecr:*:<AWS-Account-ID where ECR located>:repository/*" 
        }, 
        { 
          "Effect": "Allow", 
          "Action": ["ecr:GetAuthorizationToken"], 
          "Resource": "*" 
        } 
      ] 

  3. Create a role trust relationship to give the EKS account access to the ECR account:
    Copy 

      "Version": "2012-10-17", 
      "Statement": [ 
        { 
          "Sid": "Statement1", 
          "Effect": "Allow", 
          "Principal": { 
            "AWS": "arn:aws:iam::<AWS-Account-ID where EKS Located>:root" 
          }, 
          "Action": "sts:AssumeRole" 
        } 
      ] 

  4. Open the Amazon Elastic Container Service console.

  5. Select the cluster to use as a hosting cluster.

  6. From the Task tab, select one of the tasks.

  7. In the Configuration panel, click Task definition.

  8. Below Task role, click the link to open the Task Role configuration for the attached Role in the ECS cluster.

  9. In the Permissions tab, click Add permissions to create a new IAM policy.

  10. Select Create inline policy, click JSON to edit the policy, and add the sample policy provided below.

    This policy uses an ARN of the Custom-IAM-Role that you created in Step 2.

    Copy 

      "Version": "2012-10-17", 
      "Statement": [ 
        { 
          "Effect": "Allow", 
          "Action": ["sts:AssumeRole"], 
          "Resource": "<ARN-Custom-IAM-Role>" 
        } 
      ] 

  11. Click Next.

  12. Give a name to the policy and click Create policy. The policy is added and attached to the IAM Node Group Role.

More Links