Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-07-09 19:32:01 +0000

nofretete gravatar image

To configure or activate ECR enhanced scanning using AWS CDK, you can follow the below steps:

  1. Install the necessary AWS CDK dependencies and set up your project.

  2. In your code editor, import the necessary libraries:

import { Effect, PolicyStatement } from '@aws-cdk/aws-iam';
import { Repository } from '@aws-cdk/aws-ecr';
import { CfnRepository } from '@aws-cdk/aws-ecr';
  1. Create an ECR repository:
const ecrRepository = new Repository(this, 'ECRRepositoryName', {
  repositoryName: 'example_repository_name',
  removalPolicy: RemovalPolicy.DESTROY,
});
  1. Enable ECR enhanced scanning for the repository by adding the following policy statements to allow ECR to perform the relevant actions:
ecrRepository.addToResourcePolicy(new PolicyStatement({
  actions: [
    "ecr:DescribeImages",
    "ecr:DescribeRepositories",
    "ecr:ListImages",
    "ecr:GetAuthorizationToken",
    "ecr:BatchCheckLayerAvailability",
    "ecr:GetDownloadUrlForLayer",
    "ecr:BatchGetImage",
    "ecr:PutImageScanningConfiguration",
  ],
  principals: [new ServicePrincipal('ecr.amazonaws.com')],
  effect: Effect.ALLOW,
}));
  1. Finally, you need to set the ImageScanningConfiguration property of the CfnRepository instance:
const ecrRepoCFN = ecrRepository.node.defaultChild as CfnRepository;
ecrRepoCFN.imageScanningConfiguration = {
  scanOnPush: true,
};
  1. Deploy your application and the ECR repository with the enhanced scanning feature will be created with the configured settings.

Note: Make sure you have sufficient permissions to create an ECR repository and to add the required policy statements.


Copyright QStack.ai, 2010-2023. Content on this site is licensed under the Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service | contact