Configure your private Amazon Elastic Container Registry (ECR) in the Mend Platform

Overview

The Mend container image registry scanning solution can integrate with your private ECR using your provided access and secret keys.

Getting it done

Prerequisites before you scan ECR with Mend Container

• Your Mend user must be an organization administrator.

• Your Amazon ECR user that owns the access and secret keys provided to Mend for authentication must have an IAM policy attached with the necessary actions for all registry resources. See the Amazon ECR setup section of this document for instructions.

Amazon ECR setup

Step 1: Create the access and secret keys in AWS: 

1. Navigate to your AWS Management Console and open the IAM console. 

2. Select Users and click on the user that will be used for the integration.

3. Navigate to the Security Credentials tab → Access keys section and click on Create access key.

4. Once you finish, keep the access and secret keys on hand for the integration.

Step 2: Create the policy in AWS:

1. Navigate to your AWS Management Console and open the IAM console.

2. In the navigation pane on the left, select Policies and click Create.

3. Specify the required actions:

"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource",
"ecr:DescribeImages"

Step 3: Attach the policy in AWS:

1. Navigate to your AWS Management Console and open the IAM console.

2. Select Users and click on the user that owns the access and secret keys generated in Step 1.

3. Navigate to the Permissions tab and click on Add permissions → Add permissions.

4. For the Permissions options, select Attach policies directly.

5. Select the created policy from Step 2 and click on Next.

6. Click on Add Permissions to attach the policy to the user.

Set up your private ECR configuration via the Mend Platform UI

1. In the Mend Platform UI, navigate to → Integrations.

2. Scroll down to the ‘Registries’ section and click ‘Amazon ECR’ to open the setup wizard.
   

   

The Setup Wizard

Step 1 - Fill in the General Details fields:

a. Display Name
b. Description (optional)
c. Environment (multi-selection is supported)
Click the button at the bottom right to move on to Step 2 - Authentication.

Step 2 - Fill in the Authentication information

a. Region
b. Access Key
c. Secret Key
Click the button at the bottom right to move on to Step 3 - Configuration.

Step 3 - Fill in the Configuration information to define your scan schedule

a. Scan Time
b. Frequency
Scheduling image registry scans is crucial for maintaining the security and integrity of your container images. By default, a scan interval of 7 days will be applied. You can change the scan interval in 1-day increments or select specific days of the week when you wish for scans to be executed.

Click the button at the bottom right to move on to Step 4 - Summary, to view the summary of your setup as a final step before adding your registry.

Step 4 - Summary

In this step, the summary of your input from steps 1-3 will be displayed. You can go back to the previous screens of the wizard to make changes, by clicking the ‘Back’ button at the bottom right corner of the screen. If you wish to confirm your configuration and add your registry, click the ‘Done’ button:

A Registry Added Successfully message will pop-up at the bottom-left corner of the user interface once the integration credentials and configuration have been verified:

Note: Before adding your registry, a connectivity check will be performed automatically, to ensure the credentials are valid and the registry is accessible for the integration.

Reference

Private ECR parameters

Amazon ECR resources

Visit Amazon’s documentation below for more information on the topics related to the Mend private ECR integration:

• Managing access keys (console)

• Creating IAM policies (console)

  • API Reference → Actions

• Adding and removing IAM identity permissions