AWS ECR Connector

For AWS ECR you’ll need to create a connector to connect to your AWS account.

Create Connector for AWS ECR Registry

1) In the Container Security UI, go to Assets > Registries and click New Registry.  

2) Pick AWS ECR from the Registry Type menu.  

3) Choose a region from the Region menu.  

4) Click Create New next to the Connector field.  

5) On the Connector Details page, give your connector a name.

6) Take note of the Qualys AWS Account ID and External ID in the connector details. Continue with the steps below to create a role for cross-account access using the connector details provided. (Note that the steps you need also appear in the UI, on the right side of the Connector Details screen.)

AWS ECR

Create a Role for Cross-Account Access

1) Log in to Amazon Web Services (AWS) Console.

2) Go to the IAM service.

3) Go to Roles and click Create Role

4) Under “Select type of trusted entity” choose Another AWS account. Then:

- Paste in the Qualys AWS Account ID (from connector details).

- Select Require external ID and paste in the External ID (from connector details).

- Click Next: Permissions

5) Find the policy titled “AmazonEC2ContainerRegistryReadOnly” and select the check box next to it. We recommend you use this default AWS policy. If you want to use a custom policy, see important details below.  

6) Enter a role name (e.g. CMS) and click Create role.

7) Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.  

Using a Custom Policy?  

To use a custom policy and to match all repositories that belong to a specific account, you can use a wildcard (*) when defining the Resource JSON policy element. See the proper formatting for the JSON below. Note that there are two statements defined inside the Statement element. Both statements must be present. You’ll also need to replace the region and account number (shown in bold red) with appropriate values.  

Define your policy first and then follow the steps outlined above to create a role for cross-account access using the Qualys AWS Account ID and External ID from the connector details in the Container Security UI. In Step 5, pick your custom policy instead of “AmazonEC2ContainerRegistryReadOnly”.

After creating the custom policy, finish the role creation with step 6 and 7.

Policy JSON:  

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "Statement1",

           "Effect": "Allow",

           "Action": [

               "ecr:GetDownloadUrlForLayer",

               "ecr:BatchGetImage",

               "ecr:DescribeImages",

               "ecr:ListImages",

               "ecr:GetRepositoryPolicy"

           ],

           "Resource": "arn:aws:ecr:us-west-1:123456789012:repository/*"

       },

       {

           "Sid": "Statement2",

           "Effect": "Allow",

           "Action": [

               "ecr:DescribeRepositories",

               "ecr:GetAuthorizationToken"

           ],

           "Resource": "*"

       }

   ]

}