The architecture for this workload is as follows.
Container images may contain multiple layers. These typically includes the operating system, and application code. Within each of these layers, there is potential to introduce vulnerability in your containers.
When Snyk Container scans an image, it first finds the software installed. For example:
After Snyk has the list of installed software, it is cross-referenced against Snyk Vulnerability DB, which combines public sources with proprietary research. Snyk vulnerability DB provides customers with detailed information and remediation guidance for known vulnerabilities.
Snyk detects vulnerabilities in images based on:
Note: Snyk also supports images using packages from those distributions but without the associated package manager, such as Distroless images.
Snyk offers customers a seamless means of enabling an ECR integration published as an official AWS Quick Start. This option may be used instead of the manual process detailed below.
In order to integrate ECR with Snyk, you need to first create AWS IAM permissions which allows Snyk to interact with Docker images in ECR.
Goto Policy and Create New Policy with the following JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SnykAllowPull",
"Effect": "Allow",
"Action": [
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy"
],
"Resource": "*"
}
]
}Now goto the IAM roles section, create a new role under the name AWSServiceRoleforECR and attach the policy you created above.
After you create the role, you can edit the trust relationship to look like the snippet below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::198361731867:user/ecr-integration-user"
},
"Action": "sts:AssumeRole"
}
]
}
Copy the role ARN which will be used later in the Snyk console.
Before following the steps below, make sure your AWS CLI profile has permissions for
CreatePolicy,CreateRoleat the very least. For completeness ensure you haveDeletepermissions for IAM roles and policies as well.
In the AWS account where you have a Docker image stored in ECR, run the following AWS CLI command:
aws iam create-policy --policy-name SnykECRPolicy --policy-document file://snyk-policy.jsonThe content of snyk-policy.json file is below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SnykAllowPull",
"Effect": "Allow",
"Action": [
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy"
],
"Resource": "*"
}
]
}After the policy is successfully created, it is time to create an IAM role in the account
aws iam create-role --role-name SnykECRRole --assume-role-policy-document file://assume.json
The assume.json file contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::198361731867:user/ecr-integration-user"
},
"Action": "sts:AssumeRole"
}
]
}Settings on top bar, click on IntegrationsECR and put in the region and IAM role ARN you created earlier.