Use Defender for Containers to scan your Amazon AWS Elastic Container Registry images for vulnerabilities (Preview)

Article
06/14/2023

Defender for Containers lets you scan the container images stored in your Amazon AWS Elastic Container Registry (ECR) as part of the protections provided within Microsoft Defender for Cloud.

To enable scanning of vulnerabilities in containers, you have to connect your AWS account to Defender for Cloud and enable Defender for Containers. The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities.

Defender for Containers creates resources in your AWS account to build an inventory of the software in your images. The scan then sends only the software inventory to Defender for Cloud. This architecture protects your information privacy and intellectual property, and also keeps the outbound network traffic to a minimum.

These resources are created under us-east-1 and eu-central-1 in each AWS account where container vulnerability assessment is enabled:

S3 bucket with the prefix defender-for-containers-va
ECS cluster with the name defender-for-containers-va
VPC
- Tag name with the value defender-for-containers-va
- IP subnet CIDR 10.0.0.0/16
- Associated with default security group with the tag name and the value defender-for-containers-va that has one rule of all incoming traffic.
- Subnet with the tag name and the value defender-for-containers-va in the defender-for-containers-va VPC with the CIDR 10.0.1.0/24 IP subnet used by the ECS cluster defender-for-containers-va
- Internet Gateway with the tag name and the value defender-for-containers-va
- Route table - Route table with the tag name and value defender-for-containers-va, and with these routes:
  - Destination: 0.0.0.0/0; Target: Internet Gateway with the tag name and the value defender-for-containers-va
  - Destination: 10.0.0.0/16; Target: local

Defender for Cloud filters and classifies findings from the software inventory that the scanner creates. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.

The triggers for an image scan are:

On push - Whenever an image is pushed to your registry, Defender for Containers automatically scans that image within 2 hours.
Continuous scan - Defender for Containers reassesses the images based on the latest database of vulnerabilities of Trivy. This reassessment is performed twice a day for 90 days after an image is pushed to the registry.

Prerequisites

Before you can scan your ECR images:

Connect your AWS account to Defender for Cloud and enable Defender for Containers
You must have at least one free VPC in the us-east-1 and eu-central-1 regions to host the AWS resources that build the software inventory.

For a list of the types of images not supported by Microsoft Defender for Containers, see Availability.

Enable vulnerability assessment

To enable vulnerability assessment:

From Defender for Cloud's menu, open Environment settings.
Select the AWS connector that connects to your AWS account.
In the Monitoring Coverage section of the Containers plan, select Settings.
Turn on Vulnerability assessment.
Select Save > Next: Configure access.
Download the CloudFormation template.
Using the downloaded CloudFormation template, create the stack in AWS as instructed on screen. If you're onboarding a management account, you'll need to run the CloudFormation template both as Stack and as StackSet. It takes up to 30 minutes for the AWS resources to be created. The resources have the prefix defender-for-containers-va.
Select Next: Review and generate.
Select Update.

Findings are available as Defender for Cloud recommendations from 2 hours after vulnerability assessment is turned on. The recommendation also shows any reason that a repository is identified as not scannable ("Not applicable"), such as images pushed more than 3 months before you enabled vulnerability assessment.

View and remediate findings

Vulnerability assessment lists the repositories with vulnerable images as the results of the Elastic container registry images should have vulnerability findings resolved recommendation. From the recommendation, you can identify vulnerable images and get details about the vulnerabilities.

Vulnerability findings for an image are still shown in the recommendation for 48 hours after an image is deleted.

To view the findings, open the Recommendations page. If the scan found issues, you'll see the recommendation Elastic container registry images should have vulnerability findings resolved.
Select the recommendation.

The recommendation details page opens with additional information. This information includes the list of repositories with vulnerable images ("Affected resources") and the remediation steps.
Select specific repositories to the vulnerabilities found in images in those repositories.

The vulnerabilities section shows the identified vulnerabilities.
To learn more about a vulnerability, select the vulnerability.

The vulnerability details pane opens.

This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.
Follow the steps in the remediation section of the recommendation.
When you've taken the steps required to remediate the security issue, replace the image in your registry:
1. Push the updated image to trigger a scan.
2. Check the recommendations page for the recommendation Container registry images should have vulnerability findings resolved.
  
  If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.
3. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the “old” vulnerable image from your registry.

Next steps

Learn more about:

Defender for Cloud Defender plans
Multicloud protections for your AWS account
Check out common questions about Defender for Containers.